xml encryption and signing

Posted on 2003-02-27
Medium Priority
Last Modified: 2010-04-11
I need to do a encryption and signing of a xml payload, using x509 certificates. This xml payload would contain only the user's DN or userID which would be retrieved from a http response header, and the time to live and timestamp. Everything should happen in the client side.
could anyone please help me out in how to create the xml payload document, and how to get the certificate from the user's certificate store to sign and encrypt the document.
A little bit of code snippet would be really helpful, and the procedure that needs to be followed to create the DTD and link the DTD to the xml document.

expecting a quick reply from you experts.

Question by:vik_jav

Expert Comment

ID: 8042156
I'm a bit confused about what you're hoping to do.  I have a few questions for you:

(1) You mention the user's DN or userID (or both?) is retrieved from the HTTP header in the response.  Can you give an example of how that information will be displayed in the header?  Are you using the HTTP Pragma field?  Is that a typo, and you actually intend to send the information in the XML payload?
(2) You mention that everything should happen on the client side.  Are you hoping to implement a digital-signature solution that requires no server involvement?
(3) Are you signing messages originating at the server, the client, or both?
(4) Do you intend to sign the document with the sender's private key, or the recipient's public key?  You should be signing with the private key, but your comment about signing a document with the key from a certificate indicates you intend to use public keys for signing.

I look forward to helping you once I have a better understanding of your goals.

-Jason Deckard

Author Comment

ID: 8042609
as per your question, there would be a web page where the user DN information would be retrieved from the http response header, as that web page would be a redirect from another web page. SO i guess using http pragma might be the only option.
Also, our main goal is to create the XML payload and sign & encrypt it. To do so, we are planning to have a directory, where all the public key would be stored, and once the payload is created, we need to encrypt using the public key from the store,based on some userID that would be matching with the public key file(ex. user20.cer) and sign with the server private key.

Accepted Solution

Jason_Deckard earned 120 total points
ID: 8043597
If you already have a way of passing the Distinguished Name via the HTTP header, then go for it.  Otherwise, you may find that your web server does not support your intended use of Pragma.  Of course, if you are writing both the server and client, you can make this work.

Encrypting with the public key ensures that only the recipient can read the message, and signing with the sender's private key ensures data integrity.  The problem is that the encrypted result of the authentication information (and the derived signature) is the same everytime.  This means an attacker does not need to know your login information; he just needs to capture and replay it.  You can avoid this situation by implementing SSL or TLS in the connection between the client and server.

If you implement SSL/TLS, you can forgo encrypting and signing the login information prior to sending it over the SSL/TLS session.

Also, what programming language where you hoping to get code examples in?

Jason Deckard
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.


Author Comment

ID: 8043653
Thanks once again. We have not yet started the development. Just at the process of getting everything thrashed out. We are planning to use JSP's for the client, and probably java servlets to do the XML encryption and signing. However i am not sure if we can use ASP/IIS as we are using iplanet web server only. Also, the SSL connection is planned to be used between client and web server.
The idea behind this encryption model is because, we are going to route out the encrypted user identification out of our domain.

Thanks and Regards,
LVL 14

Assisted Solution

chris_calabrese earned 120 total points
ID: 8043684

Is this for a web service (sounds like it)?
And does the XML document need to be protected/signed only during transmission, or for later storage/verification/whatever?

If it only needs protection during transmission, then Jason_Deckard is absolutely correct that you need only tunnel the connection in SSL/TLS.

Otherwise, you should look at the w3c standards for XML encryption and signing, XML_Encryption and XML_Signature.

The their web pages at http://www.w3.org/Encryption/ and http://www.w3.org/Signature/ contain information on these technologies, including pointers to toolkits that implement them.

These are also the basis for the user-verification features of SAML and Liberty Alliance.

Author Comment

ID: 8043756
Thanks for your reply. We are planning to use java, as because our web server is running iplanet. however is there a possibility to use iplanet/ASP?
the client-server connectivity is to be SSL enabled, but we do need to do the encryption as we are planning to move the encrypted xml document out to another domain.

Thanks and Regards,


Expert Comment

ID: 8043838

As long as you are taking reasonable steps to prevent an attacker from getting the encrypted XML document, you should be fine.  However, keep in mind that once "the cat is out of the bag", you are open to replay attacks.  If you suspect one of your XML authentication messages has been compromised, change the password for the account.  On a side note, you should change account passwords on a regular basis regardless of replay attack concerns.

Chris Calabrese's information is, as usual, right on target.  Check W3C's recommendations/specifications for constructing your encrypted and signed XML document.

If you have specific questions about your Java implementation, you should post them in the Java Programming area.  I am happy to answer these questions, but posting the question in the Java Programming TA will cause your question to be reviewed by many more Java experts than posting it in the Security TA.

If you cannot send the DN in the HTTP header, send it in the HTTP body (perhaps in an XML message).

Best of luck,
Jason Deckard

Expert Comment

ID: 9954264
This question has been classified as abandoned.  I will make a recommendation to the moderators on its resolution in approximately one week.  I would appreciate any comments by the experts that would help me in making a recommendation.

It is assumed that any participant not responding to this request is no longer interested in its final deposition.

If the asker does not know how to close the question, the options are here:

EE Page Editor

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question