Table of Contents

�  Introduction �  XML (eXtensible Markup Language)

�  XML Security �  Element wise Encryption �  Access Control Model

�  XSLT (eXtensible Stylesheet Language Transformations) �  XML Security using XSLT �  Conclusion �  References

Introduction �  XML (eXtensible Markup Language) - the

“love child” of W3C (World Wide Web Consortium)

�  XML - Mainly used for B2B messaging

�  Biggest concern for customer is security

Introduction (contd.) �  XML inherits transport layer security such

as SSL as used in HTML for basic security

�  Some security features of XML are beyond transport layer security

�  This project addresses the specific security features of XML by �  Describing an access control model & �  Performing cryptographic transformations on it

Introduction (contd.) �  XSLT (eXtensible Stylesheet Language

Transformations)

�  XSLT may well have sufficient functionality to perform all reasonable cryptographic transformations.

�  We extend the XSLT Processor to provide encryption and decryption functions

�  We also implement a real world application in PHP, utilizing the cryptographic functions in the XSLT processor

XML

�  XML is open standard for cross application communication

� XML allows users to structure and label informat ion separately f rom the presentation of that information.

� An XML document must adhere to particular syntax and semantics as outlined in XML Specification by W3C

XML (contd.) �  XML is generally parsed or manipulated

using Document Object Model (DOM)

�  DOM allows navigation of an XML document as if it were a tree with node objects as branches

<payment type=card”> <issuer> Card Company A </issuer> <cardinfo> <name> ADAM ISHMAEL </name> <expiration> 04/2010 </expiration> <number> 5283 8304 6232 0010 </number> </cardinfo>

</payment>

XML Security �  XML uses existing Transport Layer Security

(TLS) mechanism such as SSL for basic end to end communication security

�  TLS prevents eavesdropping, tampering, and message forgery between a client and server

�  TLS doesn’t address some specific XML Security features such as:

�  Element Wise Encryption �  Digital Signature and �  Access Control

Element Wise Encryption

� Element-wise encryption allows the user to select the data fields to be encrypted

� Therefore, the remaining nonconfidential data fields will be readable.

�  Instead of the encrypting an entire document, it is enough to encrypt only a part of it which should be confidential.

Element Wise Encryption (contd.) �  An Example: <payment type=card”>

<issuer>Card Company A</issuer> <cardinfo> <name> ADAM ISHMAEL </name> <expiration> 04/2010 </expiration> <number> 5283 8304 6232 0010 </number> </cardinfo>

</payment>

�  Card Info Encrypted <payment type=card”>

<issuer>Card Company A</issuer> <EncryptedElement contentType=”text/plain” algorithm=”DES” encoding=”base64”> PHJvdz4KICAglCAgPGNvbCBwYWNrZWQ9lmJhc2U2NCl+ </EncryptedElement>

</payment>

XML Access Control Model

� Providing the right people with the right access to information is as important as having the information in the first place

� XML Access Control is performed by providing XML documents with a sophisticated access control model by applying appropriate encryption / decryption transformation

XML Access Control Model

XSLT �  XSLT (eXtensible Stylesheet

Language Transformations) is a W3C specification for a document manipulation language capable of restructuring documents and performing computations on their elements.

XML Security using XSLT �  If we regard encryption/decryption as just

another XML document transformation operation, then it is apparent that the advantages XSLT

�  We propose a model to implement the various XML security features using XSLT thus making it possible for a standard XSLT processor to provide XML security functions.

XML Security using XSLT

Conclusion �  XSLT processors remain as a standard

specification in the client side, the server side and can be implemented anywhere in a business application

�  Our proposal thus makes encryption / decryption of an XML Document possible just by using a XSL encrypting / decrypting document

�  The project thus extends the XSLT processor to provide encryption and decryption functions and implement an Access Control Model

�  For demonstration of the cryptographic capabilities implemented using XSLT processor, a real world application is developed using PHP

References �  Kayvan Farzaneh; Mahmood Doroodchi, "XML Security

beyond XSLT," Innovations in Information Technology, 2006 , pp.1-5, Nov. 2006

�  Maruyama H. and Imamura T., “Element-Wise XML Encryption”, April 2000.

�  W3C, “Extensible Markup Language (XML) 1.0 (Fifth Edition) W3C Recommendation 26 November 2008”

�  W3C, “XSL Transformations (XSLT) Version 2.0 W3C Recommendation 23 January 2007”

Thank You… �  Read the research whitepaper here:

Slideshare.net

�  Like this presentation? Share it...

�  Questions? Tweet me @ahmedmzl

�  This presentation was presented at the National Conference on Computational Intelligence and Network Security, April 2009