xml security using xslt
Post on 13-Sep-2014
919 views
DESCRIPTION
XML is expected to facilitate Internet B2B messaging because of its simplicity and flexibility. One big concern that customer may have in doing Internet B2B messaging is security. Therefore considering some security features in XML such as element-wise encryption, access control and digital signature that are beyond the capability of the transport-level security protocol such as SSL is of interest. We describe element-wise encryption of XML documents by performing some cryptographic transformations on it. For this reason, XSLT (Extensible Stylesheet Language Transformations) may well have sufficient functionality to perform all reasonable cryptographic transformations. In this paper we implement element wise encryption operation in the document using XSLT. Extension functions of XSLT are made use to enhance the abilities of XSLT to include the encryption and decryption functions.TRANSCRIPT
Table of Contents
� Introduction � XML (eXtensible Markup Language)
� XML Security � Element wise Encryption � Access Control Model
� XSLT (eXtensible Stylesheet Language Transformations) � XML Security using XSLT � Conclusion � References
Introduction � XML (eXtensible Markup Language) - the
“love child” of W3C (World Wide Web Consortium)
� XML - Mainly used for B2B messaging
� Biggest concern for customer is security
Introduction (contd.) � XML inherits transport layer security such
as SSL as used in HTML for basic security
� Some security features of XML are beyond transport layer security
� This project addresses the specific security features of XML by � Describing an access control model & � Performing cryptographic transformations on it
Introduction (contd.) � XSLT (eXtensible Stylesheet Language
Transformations)
� XSLT may well have sufficient functionality to perform all reasonable cryptographic transformations.
� We extend the XSLT Processor to provide encryption and decryption functions
� We also implement a real world application in PHP, utilizing the cryptographic functions in the XSLT processor
XML
� XML is open standard for cross application communication
� XML allows users to structure and label informat ion separately f rom the presentation of that information.
� An XML document must adhere to particular syntax and semantics as outlined in XML Specification by W3C
XML (contd.) � XML is generally parsed or manipulated
using Document Object Model (DOM)
� DOM allows navigation of an XML document as if it were a tree with node objects as branches
<payment type=card”> <issuer> Card Company A </issuer> <cardinfo> <name> ADAM ISHMAEL </name> <expiration> 04/2010 </expiration> <number> 5283 8304 6232 0010 </number> </cardinfo>
</payment>
XML Security � XML uses existing Transport Layer Security
(TLS) mechanism such as SSL for basic end to end communication security
� TLS prevents eavesdropping, tampering, and message forgery between a client and server
� TLS doesn’t address some specific XML Security features such as:
� Element Wise Encryption � Digital Signature and � Access Control
Element Wise Encryption
� Element-wise encryption allows the user to select the data fields to be encrypted
� Therefore, the remaining nonconfidential data fields will be readable.
� Instead of the encrypting an entire document, it is enough to encrypt only a part of it which should be confidential.
Element Wise Encryption (contd.) � An Example: <payment type=card”>
<issuer>Card Company A</issuer> <cardinfo> <name> ADAM ISHMAEL </name> <expiration> 04/2010 </expiration> <number> 5283 8304 6232 0010 </number> </cardinfo>
</payment>
� Card Info Encrypted <payment type=card”>
<issuer>Card Company A</issuer> <EncryptedElement contentType=”text/plain” algorithm=”DES” encoding=”base64”> PHJvdz4KICAglCAgPGNvbCBwYWNrZWQ9lmJhc2U2NCl+ </EncryptedElement>
</payment>
XML Access Control Model
� Providing the right people with the right access to information is as important as having the information in the first place
� XML Access Control is performed by providing XML documents with a sophisticated access control model by applying appropriate encryption / decryption transformation
XML Access Control Model
XSLT � XSLT (eXtensible Stylesheet
Language Transformations) is a W3C specification for a document manipulation language capable of restructuring documents and performing computations on their elements.
XML Security using XSLT � If we regard encryption/decryption as just
another XML document transformation operation, then it is apparent that the advantages XSLT
� We propose a model to implement the various XML security features using XSLT thus making it possible for a standard XSLT processor to provide XML security functions.
XML Security using XSLT
Conclusion � XSLT processors remain as a standard
specification in the client side, the server side and can be implemented anywhere in a business application
� Our proposal thus makes encryption / decryption of an XML Document possible just by using a XSL encrypting / decrypting document
� The project thus extends the XSLT processor to provide encryption and decryption functions and implement an Access Control Model
� For demonstration of the cryptographic capabilities implemented using XSLT processor, a real world application is developed using PHP
References � Kayvan Farzaneh; Mahmood Doroodchi, "XML Security
beyond XSLT," Innovations in Information Technology, 2006 , pp.1-5, Nov. 2006
� Maruyama H. and Imamura T., “Element-Wise XML Encryption”, April 2000.
� W3C, “Extensible Markup Language (XML) 1.0 (Fifth Edition) W3C Recommendation 26 November 2008”
� W3C, “XSL Transformations (XSLT) Version 2.0 W3C Recommendation 23 January 2007”
Thank You… � Read the research whitepaper here:
Slideshare.net
� Like this presentation? Share it...
� Questions? Tweet me @ahmedmzl
� This presentation was presented at the National Conference on Computational Intelligence and Network Security, April 2009