Home | Business News | Browse by Publication | X | XML Journal

Signing XML using XML signatures: A C# .NET example. (XML & .NET).

Article Excerpt
XML is an accepted standard for transferring ASCII data over the Internet. Secure Sockets Layer (SSL) allows the secure transfer of documents by encrypting communication between two parties. Client certificates like X.509 certificates allow a sender's identity to be verified, i.e., when a sender initiates communication with a receiver, he or she sends a certificate that authenticates his or her identity. The sender encrypts the communication using SSL, and only the data recipient can decrypt the communication.

The W3C developed the XML Signatures specification to allow use of XML to authenticate and ensure an object's integrity--the XML signature conveniently encapsulates all the metadata associated with an object's signature. An XML signature contains a digest value generated from an object and a signature value generated from the digest value. Optionally, a signature can also contain key information on the key used to sign the digest value. Because an XML signature is an XML document, you can save the signature as a simple ASCII text document. Later, when you need to use the object, you can authenticate and ensure its integrity using the saved signature. If someone modifies the object between the time the sender signs it and the time you use it, the digest value in the signature will be incorrect and signature validation will fail. XML signatures do not replace SSL and client certificates (secure communication remains important), they build upon these technologies by allowing you to authenticate and ensure the integrity of the XML document being sent, not just the communication sending the XML.

XML signatures use Public Key Cryptography to sign objects. Public Key Cryptography is a concept in which you generate a private and a public key, which are initialization parameters to an algorithm that encrypts data. The private key encrypts data and the public key decrypts data. Keys are also useful for authenticating the sender and verifying the integrity of data encrypted with a private key. XML signatures use this ability to digitally sign XML documents.

XML Digital Signatures

Consider the XML signature shown in Listing 1. The outermost tag is the Signature tag. Signature's first child is the SignedInfo tag, shown in Listing 2.

LISTING 1 * Signed XML document example kD4OdqaLdEE7p6EEM0TPEMZEwOk= UPV5eNf0XNsvmw6Lb6ejyc/BGkiMeU6X1ShJIBiH- WnYMdpr+AACTKaZ33SS eWGn2PlhL4gcILOFA5+fXsqHIC+TcyfXbEHj//ftH3f7J+DzfhBKEwDyT07B 4ssHTSDd4jwheG/Kj8Gg94KmTuhmuCTMPZLvzYI8x2mplLgqtNuI= 33 1234 3141.59 2002-08-11 12341234 159 1999-08-13 LISTING 2 * SignedInfo tag kD4OdqaLdEE7p6EEM0TPEMZEwOk=

SignedInfo contains the information to be signed in the DigestValue tag. The DigestMethod calculates the DigestValue from the original object (in Listing 1, StudentDefaults). If the underlying object is modified without recalculating the digest value, the signed object's signature is no...