Chapter 10: XML Security

Overview

XML is being accepted as a way of transferring information between application programs and computers. The volume of data that’s being marked up in XML documents is increasing daily. Some of that data is being used to conduct everyday business. The interoperability benefits of using a format like XML are significant; the drawback is that XML makes data human-readable, even when humans shouldn’t be reading that data. In this chapter, we’ll look at the problem of how to protect the integrity and secrecy of data stored in XML documents.

You might wonder why this is an issue. After all, the existing techniques for protecting documents should work fine. If you want to protect a document, you run it through an encryption algorithm, and the document comes out encrypted. If you want to certify something about a document, then you sign the document with a digital signature. Declaring the integrity of a document is easy—compute a message digest, and someone else can use it to verify that the document hasn’t been tampered with. To satisfy more than one of these goals at once, we know how to combine these techniques. What does XML bring to the table that requires a new solution?

The answer is that you may not want to sign or encrypt the entire document. You may only want to sign or encrypt an element or a few elements. Perhaps an XML document represents a bunch of information, but you only care about or want to be responsible for part of that information. Think of a document that represents a complex agreement among multiple parties. Each part may only want to sign the part of the document they’re responsible for. Likewise, some of the terms of the agreement may be between only two parties, but the entire agreement stands or falls together. In this situation, some of these terms may be a secret between the two parties, and they would like to keep those terms secret. You can implement this requirement by allowing that section of the document to be encrypted so only the relevant parties can decrypt it. Many applications of XML involve workflows (this is true of Web services as well), which have these kinds of requirements.

Technically, the solution rests with a pair of specifications from the World Wide Web Consortium (W3C): the XML Signature Syntax and Processing Recommendation and the XML Encryption Syntax and Processing Recommendation. The XML Signature Recommendation describes how to use digital signatures and hashing/message digesting to digitally sign entire XML documents and portions of XML documents. The XML Encryption Recommendation performs a similar function for using symmetric key encryption to encrypt part or all of an XML document. The XML Signature Recommendation uses the Canonical XML and Exclusive XML Canonicalization Recommendations.

XML Security is the xml.apache.org project that’s implementing these four recommendations. The project was started in September 2001 when the XML Security project at the University of Siegen in Germany donated a code base that implemented the Canonicalization and part of the XML Signature Recommendations. Since then, the project has completed implementation of the required portions of the XML Signature Recommendation and has begun implementation of the XML Encryption Recommendation. There has been some cooperation with the Apache Axis project, in particular a set of Axis handlers that can be used to digitally sign SOAP messages. These handlers use the older SOAP Signature specification, which has been superseded by the WS-Security specifications. The Web services project is interested in building a complete WS-Security implementation.