xml encryption and signing

Posted on 2003-02-27
Medium Priority
Last Modified: 2010-04-11
I need to do a encryption and signing of a xml payload, using x509 certificates. This xml payload would contain only the user's DN or userID which would be retrieved from a http response header, and the time to live and timestamp. Everything should happen in the client side.
could anyone please help me out in how to create the xml payload document, and how to get the certificate from the user's certificate store to sign and encrypt the document.
A little bit of code snippet would be really helpful, and the procedure that needs to be followed to create the DTD and link the DTD to the xml document.

expecting a quick reply from you experts.

Question by:vik_jav
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 8042156
I'm a bit confused about what you're hoping to do.  I have a few questions for you:

(1) You mention the user's DN or userID (or both?) is retrieved from the HTTP header in the response.  Can you give an example of how that information will be displayed in the header?  Are you using the HTTP Pragma field?  Is that a typo, and you actually intend to send the information in the XML payload?
(2) You mention that everything should happen on the client side.  Are you hoping to implement a digital-signature solution that requires no server involvement?
(3) Are you signing messages originating at the server, the client, or both?
(4) Do you intend to sign the document with the sender's private key, or the recipient's public key?  You should be signing with the private key, but your comment about signing a document with the key from a certificate indicates you intend to use public keys for signing.

I look forward to helping you once I have a better understanding of your goals.

-Jason Deckard

Author Comment

ID: 8042609
as per your question, there would be a web page where the user DN information would be retrieved from the http response header, as that web page would be a redirect from another web page. SO i guess using http pragma might be the only option.
Also, our main goal is to create the XML payload and sign & encrypt it. To do so, we are planning to have a directory, where all the public key would be stored, and once the payload is created, we need to encrypt using the public key from the store,based on some userID that would be matching with the public key file(ex. user20.cer) and sign with the server private key.

Accepted Solution

Jason_Deckard earned 120 total points
ID: 8043597
If you already have a way of passing the Distinguished Name via the HTTP header, then go for it.  Otherwise, you may find that your web server does not support your intended use of Pragma.  Of course, if you are writing both the server and client, you can make this work.

Encrypting with the public key ensures that only the recipient can read the message, and signing with the sender's private key ensures data integrity.  The problem is that the encrypted result of the authentication information (and the derived signature) is the same everytime.  This means an attacker does not need to know your login information; he just needs to capture and replay it.  You can avoid this situation by implementing SSL or TLS in the connection between the client and server.

If you implement SSL/TLS, you can forgo encrypting and signing the login information prior to sending it over the SSL/TLS session.

Also, what programming language where you hoping to get code examples in?

Jason Deckard
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.


Author Comment

ID: 8043653
Thanks once again. We have not yet started the development. Just at the process of getting everything thrashed out. We are planning to use JSP's for the client, and probably java servlets to do the XML encryption and signing. However i am not sure if we can use ASP/IIS as we are using iplanet web server only. Also, the SSL connection is planned to be used between client and web server.
The idea behind this encryption model is because, we are going to route out the encrypted user identification out of our domain.

Thanks and Regards,
LVL 14

Assisted Solution

chris_calabrese earned 120 total points
ID: 8043684

Is this for a web service (sounds like it)?
And does the XML document need to be protected/signed only during transmission, or for later storage/verification/whatever?

If it only needs protection during transmission, then Jason_Deckard is absolutely correct that you need only tunnel the connection in SSL/TLS.

Otherwise, you should look at the w3c standards for XML encryption and signing, XML_Encryption and XML_Signature.

The their web pages at http://www.w3.org/Encryption/ and http://www.w3.org/Signature/ contain information on these technologies, including pointers to toolkits that implement them.

These are also the basis for the user-verification features of SAML and Liberty Alliance.

Author Comment

ID: 8043756
Thanks for your reply. We are planning to use java, as because our web server is running iplanet. however is there a possibility to use iplanet/ASP?
the client-server connectivity is to be SSL enabled, but we do need to do the encryption as we are planning to move the encrypted xml document out to another domain.

Thanks and Regards,


Expert Comment

ID: 8043838

As long as you are taking reasonable steps to prevent an attacker from getting the encrypted XML document, you should be fine.  However, keep in mind that once "the cat is out of the bag", you are open to replay attacks.  If you suspect one of your XML authentication messages has been compromised, change the password for the account.  On a side note, you should change account passwords on a regular basis regardless of replay attack concerns.

Chris Calabrese's information is, as usual, right on target.  Check W3C's recommendations/specifications for constructing your encrypted and signed XML document.

If you have specific questions about your Java implementation, you should post them in the Java Programming area.  I am happy to answer these questions, but posting the question in the Java Programming TA will cause your question to be reviewed by many more Java experts than posting it in the Security TA.

If you cannot send the DN in the HTTP header, send it in the HTTP body (perhaps in an XML message).

Best of luck,
Jason Deckard

Expert Comment

ID: 9954264
This question has been classified as abandoned.  I will make a recommendation to the moderators on its resolution in approximately one week.  I would appreciate any comments by the experts that would help me in making a recommendation.

It is assumed that any participant not responding to this request is no longer interested in its final deposition.

If the asker does not know how to close the question, the options are here:

EE Page Editor

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question