eXtensible Markup Language

Introduction

XML stands for eXtensible Markup Language which is use in Web Service, Web Server, Web development, documentation, Database documentation, Message transaction etc. XML is kind of language which is much like HTML. It was designed to carry data, store data. Data can be information, rules of the system how it run. XML are defines by some elements and attributes. These elements must define our own tags. Tags are not predefined. XML is designed to be self-descriptive. Now the point is, what XML Signature is and where it use.

What is XML Signature?

XML Signature is kind of signature where a signature is defines an XML syntax for digital signatures. A digital signature assures to anyone reading data that the signer is indeed who he or she claims to be. A digital signature provides what cryptographers call "authentication." It also ensures that the content of the data is exactly the same as what the signer signed (that is, nothing has been added or removed). In the world of cryptography, this is known as "integrity."

XML signatures can be used to sign data–a resource–of any type, typically XML documents, but anything that is accessible via a URL can be signed. An XML signature used to sign a resource outside its containing XML document is called a detached signature; if it is used to sign some part of its containing document, it is called an enveloped signature; if it contains the signed data within itself it is called an enveloping signature.

How Digital Signature generates?

Digital Signature generates in two steps. First step is that, the data of the XML document run through a hashing algorithm. Hashing algorithm scans through the data and generates a number of size data, this is typically called a “digest’’. Second step in generating a digital signature is to encrypt the digest using the private key of the signer. When recipient needs to verify it on the other side of the wire, simply recalculate the document's digest and compare it with the digest recipient get from decrypting the encrypted digest with the signer's public key. That way, recipient can ensure the document has not changed, not even slightly.

The Java XML Digital Signature API

XML digital signatures will enable a sender to cryptographically sign data, and the signatures can then be used as authentication credentials or a way to check data integrity.

An XML Signature takes one of three forms. Assuming that the XML signature is contained in a <Signature> element, the only difference between the three forms is where the <Signature> element is located with respect to the document data. The three forms are:

Detached. A detached signature is over data that is external to the signature element. That is:

</Signature>

</DocumentData>

Enveloping. An enveloping signature is a signature over data that is inside the signature element.

</DocumentData>

</Signature>

Enveloped. An enveloped signature is a signature that is contained inside the data that it is signing.

</Signature>

</DocumentData>

An XML Signature consists of a Signature element in the -

http://www.w3.org/2000/09/xmldsig# namespace. The basic structure is as follows:

</Reference>

<Reference /> etc.

</SignedInfo>

</Signature>

How XML Signature application works?

This application consists of three operations. GenerateKeyPair, CreateXMLSignature, VerifyXMLSignature. The signer needs to generate key pair in order to create xml signature and validate xml signature.

GenerateKeyPair:

Key pair generated by Public Key Cryptography. It gives two keys. One is Public Key another is Private Key. This system uses DSA – Digital Signature Algorithms for generating key pair. Signer will use Private Key for encrypting digital signature of digest data and append Public Key with the original XML document. The Public Key is stored in the third element, <KeyInfo>.

CreateXMLSignature:

In order to generate an XML signature, the digest of the canonicalized target elements identified by references is computed. The type of canonicalization performed on the target element or fragment is based on the transform algorithm and digest method (SHA – Secure Hashing Algorithm) defined under the respective Reference elements. The target elements identified by references are converted to a node set, and this node set is given as input to the canonicalizer.

The SignedInfo has the computed DigestValue. The canonicalized data of the SignedInfo element is digested, and the digest value is encrypted using the sender's private key.

VerifyXMLSignature:

The XML signature validation takes place in two steps. The first step is to verify the digest of each of the references. The second is to verify the cryptographic signature over the SignedInfo element. The whole procedure as follows:

The data identified by the Reference elements is canonicalized and then digested.

The digest value is compared against the digest value present under the Reference element. This helps to ensure that the target elements were not tampered with.

The digest value of the canonicalized SignedInfo is calculated.

The resulting bytes are verified against the signature over the SignedInfo element, using the sender's public key.

If both the signature over the SignedInfo element and each of the Reference digest values verify correctly, then the XML signature is valid otherwise invalid

Result

This XML Signature application has three operations. These are:

Generate Key Pair

Create XML Signature

Verify XML Signature

It has also other option such as view Public and Private Key. And also Signatured Public Key which will come from the Singed XML file when recipient will verify the document. So that recipient can check original Public Key and singed Public Key.

Screen prints of the test runs:

Signature looks like:

</Transforms>

<DigestValue>SDz3nglbGaZ0X5kRt59jK7VgIc4=</DigestValue>

</Reference>

</SignedInfo>

<SignatureValue>IowWw+zW11jGPJPljiomERQ+f+cExX3XbkzMGOfDcKIihS9SXqcErA==

</SignatureValue>

<P>/KaCzo4Syrom78z3EQ5SbbB4sF7ey80etKII864WF64B81uRpH5t9jQTxeEu0ImbzRMqzVDZkVG9xD7nN1kuFw==</P>

<Q>li7dzDacuo67Jg7mtqEm2TRuOMU=</Q>

<G>Z4Rxsnqc9E7pGknFFH2xqaryRPBaQ01khpMdLRQnG541Awtx/XPaF5Bpsy4pNWMOHCBiNU0NogpsQW5QvnlMpA==</G>

<Y>6HHyEeGHgQZ3vFjLgSao8Q/nY659e6bpZOxRj1zNEfhTNEVVFy1K44/t77zBW/0bvMwwnEs6siTl6stwVNAq9g==</Y>

</DSAKeyValue>

</KeyValue>

</KeyInfo>

</Signature>

Fig: Selecting a valid Singed XML (Singedpo.xml) file for verify XML Signature

Fig: Fig: Singed XML file has selected

Fig: Singed XML file Signature successfully verified (Which means nothing has been added or removed)

Fig: View Signatured Public Key which is match with original Public Key

Now if we add or remove any element or value in the Singed XML document then we will get XML Signature verification failed. Let’s say we change name of the billTo in the Singed XML document.

Before changing:

<name>Robert Smith/name>

<street>8 Oak Avenue</street>

<city>Cambridge</city>

</billTo>

After changing:

<name>Kazi Masum Siddique/name>

<street>8 Oak Avenue</street>

<city>Cambridge</city>

</billTo>

And then if we verify the Singed XML document again we will get this:

Fig: XML Signature verification failed (Because it is not a valid document which is Singer sent)

Conclusion

XML Signature meets the security requirements of data integrity, non repudiation, and endpoint authentication. The Java XML digital signature implementation provides the infrastructure to meet these security requirements. So XML Signature is very important for web based business application as well as others.

You may also find these documents helpful