OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] md5sum / sha1sum for XML?

https lets you send the data within a stream of packets of encrypted data.
The signature gives you confidence that an unencrypted packet of data hasn't been altered.
To take a document and encrypt it, so it is unreadable without decrypting, you could use encryption software such as GNU Privacy Guard or an API's crypt function.
For instance, PHP has crypt(). Note that PHP's crypt() won't do c14n for you, you'd have to do that yourself first.

Dave Pawson wrote:
On Fri, 2006-07-14 at 00:17 -0400, Richard Salz wrote:
If you're sending XML from one place to another and it may be 'touched' by one-or more XML processors, then you can't use md5sum,
I'm getting there Rich :-)

In order to deal with this, you should canonicalize the XML and then hash that bytestream; this will give an identical digest value, even in the face of those changes. For the hashing, use SHA1. For the canonicalization use exclusive c14n, as it is more robust when your XML is transported inside other XML (e.g., it becomes the body of a SOAP message).

You don't mention any tools?
http://xml.apache.org/security/index.html seems to be what Sun refer to from their tutorial?

If you are always generating the XML, you might be able to make some simplifying assumptions and come up with a simpler c14n mechanism; I strongly suggest you avoid the temptation to do that. If, in fact, you use exc-c14n/sha1, you can probably leverage a large pool of bundled and/or open source code, because those mechanisms are used in WS-Security for generating a digital signature of a SOAP message; in essence you are generating a <dsig:Reference> element of a standard XML digital signature, as defined by W3C/IETF.

Makes me chuckle. W3C define it. Apache is the reference implementation! Is that the way it should be?

The second question, is how do you "protect" the digest value? Are you concerned about tampering along the way? How do you currently protect your md5sum values? It may be enough to generate the XML digest and send/store it the same way you do your md5sum value. Or you might need to go whole hog and use an XML signature.

And I thought I was cynical! >From the little reading I've done so far xml sig uses public private key pairs which address your latter point?

The sketch seems to be coming out as:
  produce the ExclC14N ( my case would be ignore ns's).
  Add the xml-sig 'bit' to the xml file.

Now where's the bit that let's me avoid https,
i.e. just encrypt the lot at the application layer without having
to mess with changing layers, and ship it over http.
Is it there somewhere Rich?

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2006 XML.org. This site is hosted by OASIS