Date post: | 13-Sep-2014 |
Category: |
Technology |
View: | 901 times |
Download: | 0 times |
Table of Contents
� Introduction � XML (eXtensible Markup Language)
� XML Security � Element wise Encryption � Access Control Model
� XSLT (eXtensible Stylesheet Language Transformations) � XML Security using XSLT � Conclusion � References
Introduction � XML (eXtensible Markup Language) - the
“love child” of W3C (World Wide Web Consortium)
� XML - Mainly used for B2B messaging
� Biggest concern for customer is security
Introduction (contd.) � XML inherits transport layer security such
as SSL as used in HTML for basic security
� Some security features of XML are beyond transport layer security
� This project addresses the specific security features of XML by � Describing an access control model & � Performing cryptographic transformations on it
Introduction (contd.) � XSLT (eXtensible Stylesheet Language
Transformations)
� XSLT may well have sufficient functionality to perform all reasonable cryptographic transformations.
� We extend the XSLT Processor to provide encryption and decryption functions
� We also implement a real world application in PHP, utilizing the cryptographic functions in the XSLT processor
XML
� XML is open standard for cross application communication
� XML allows users to structure and label informat ion separately f rom the presentation of that information.
� An XML document must adhere to particular syntax and semantics as outlined in XML Specification by W3C
XML (contd.) � XML is generally parsed or manipulated
using Document Object Model (DOM)
� DOM allows navigation of an XML document as if it were a tree with node objects as branches
<payment type=card”> <issuer> Card Company A </issuer> <cardinfo> <name> ADAM ISHMAEL </name> <expiration> 04/2010 </expiration> <number> 5283 8304 6232 0010 </number> </cardinfo>
</payment>
XML Security � XML uses existing Transport Layer Security
(TLS) mechanism such as SSL for basic end to end communication security
� TLS prevents eavesdropping, tampering, and message forgery between a client and server
� TLS doesn’t address some specific XML Security features such as:
� Element Wise Encryption � Digital Signature and � Access Control
Element Wise Encryption
� Element-wise encryption allows the user to select the data fields to be encrypted
� Therefore, the remaining nonconfidential data fields will be readable.
� Instead of the encrypting an entire document, it is enough to encrypt only a part of it which should be confidential.
Element Wise Encryption (contd.) � An Example: <payment type=card”>
<issuer>Card Company A</issuer> <cardinfo> <name> ADAM ISHMAEL </name> <expiration> 04/2010 </expiration> <number> 5283 8304 6232 0010 </number> </cardinfo>
</payment>
� Card Info Encrypted <payment type=card”>
<issuer>Card Company A</issuer> <EncryptedElement contentType=”text/plain” algorithm=”DES” encoding=”base64”> PHJvdz4KICAglCAgPGNvbCBwYWNrZWQ9lmJhc2U2NCl+ </EncryptedElement>
</payment>
XML Access Control Model
� Providing the right people with the right access to information is as important as having the information in the first place
� XML Access Control is performed by providing XML documents with a sophisticated access control model by applying appropriate encryption / decryption transformation
XML Access Control Model
XSLT � XSLT (eXtensible Stylesheet
Language Transformations) is a W3C specification for a document manipulation language capable of restructuring documents and performing computations on their elements.
XML Security using XSLT � If we regard encryption/decryption as just
another XML document transformation operation, then it is apparent that the advantages XSLT
� We propose a model to implement the various XML security features using XSLT thus making it possible for a standard XSLT processor to provide XML security functions.
XML Security using XSLT
Conclusion � XSLT processors remain as a standard
specification in the client side, the server side and can be implemented anywhere in a business application
� Our proposal thus makes encryption / decryption of an XML Document possible just by using a XSL encrypting / decrypting document
� The project thus extends the XSLT processor to provide encryption and decryption functions and implement an Access Control Model
� For demonstration of the cryptographic capabilities implemented using XSLT processor, a real world application is developed using PHP
References � Kayvan Farzaneh; Mahmood Doroodchi, "XML Security
beyond XSLT," Innovations in Information Technology, 2006 , pp.1-5, Nov. 2006
� Maruyama H. and Imamura T., “Element-Wise XML Encryption”, April 2000.
� W3C, “Extensible Markup Language (XML) 1.0 (Fifth Edition) W3C Recommendation 26 November 2008”
� W3C, “XSL Transformations (XSLT) Version 2.0 W3C Recommendation 23 January 2007”
Thank You… � Read the research whitepaper here:
Slideshare.net
� Like this presentation? Share it...
� Questions? Tweet me @ahmedmzl
� This presentation was presented at the National Conference on Computational Intelligence and Network Security, April 2009