XML is expected to facilitate Internet B2B messaging because of its simplicity and flexibility.
One big concern that customer may have in doing Internet B2B messaging is security.
Therefore considering some security features in XML such as element-wise encryption, access control and digital signature that are beyond the capability of the transport-level security protocol such as SSL is of interest.
We describe element-wise encryption of XML documents by performing some cryptographic transformations on it. For this reason, XSLT (Extensible Stylesheet Language Transformations) may well have sufficient functionality to perform all reasonable cryptographic transformations.
In this paper we implement element wise encryption operation in the document using XSLT. Extension functions of XSLT are made use to enhance the abilities of XSLT to include the encryption and decryption functions.
2. Table of Contents
ž Introduction
ž XML (eXtensible Markup Language)
ž XML Security
— Element wise Encryption
— Access Control Model
ž XSLT (eXtensible Stylesheet Language Transformations)
ž XML Security using XSLT
ž Conclusion
ž References
3. Introduction
ž XML (eXtensible Markup Language) - the
“love child” of W3C (World Wide Web
Consortium)
ž XML - Mainly used for B2B messaging
ž Biggest concern for customer is security
4. Introduction (contd.)
ž XML inherits transport layer security such
as SSL as used in HTML for basic security
ž Some security features of XML are beyond
transport layer security
ž This project addresses the specific security
features of XML by
— Describing an access control model &
— Performing cryptographic transformations on it
5. Introduction (contd.)
ž XSLT (eXtensible Stylesheet Language
Transformations)
ž XSLT may well have sufficient functionality
to perform all reasonable cryptographic
transformations.
ž We extend the XSLT Processor to provide
encryption and decryption functions
ž We also implement a real world application
in PHP, utilizing the cryptographic functions
in the XSLT processor
6. XML
ž XML is open standard for cross
application communication
ž XMLallows users to structure and label
information separately from the
presentation of that information.
ž An XML document must adhere to
particular syntax and semantics as
outlined in XML Specification by W3C
7. XML (contd.)
ž XML is generally parsed or manipulated
using Document Object Model (DOM)
ž DOM allows navigation of an XML
document as if it were a tree with node
objects as branches
<payment type=card”>
<issuer> Card Company A </issuer>
<cardinfo>
<name> ADAM ISHMAEL </name>
<expiration> 04/2010 </expiration>
<number> 5283 8304 6232 0010 </number>
</cardinfo>
</payment>
8. XML Security
ž XML uses existing Transport Layer Security
(TLS) mechanism such as SSL for basic end
to end communication security
ž TLS prevents eavesdropping, tampering, and
message forgery between a client and server
ž TLS doesn’t address some specific XML
Security features such as:
— Element Wise Encryption
— Digital Signature and
— Access Control
9. Element Wise Encryption
ž Element-wise encryption allows the user
to select the data fields to be encrypted
ž Therefore,the remaining nonconfidential
data fields will be readable.
ž Instead of the encrypting an entire
document, it is enough to encrypt only a
part of it which should be confidential.
10. Element Wise Encryption (contd.)
ž An Example:
<payment type=card”>
<issuer>Card Company A</issuer>
<cardinfo>
<name> ADAM ISHMAEL </name>
<expiration> 04/2010 </expiration>
<number> 5283 8304 6232 0010 </number>
</cardinfo>
</payment>
ž Card Info Encrypted
<payment type=card”>
<issuer>Card Company A</issuer>
<EncryptedElement contentType=”text/plain”
algorithm=”DES” encoding=”base64”>
PHJvdz4KICAglCAgPGNvbCBwYWNrZWQ9lmJhc2U2NCl+
</EncryptedElement>
</payment>
11. XML Access Control Model
ž Providing
the right people with the right
access to information is as important as
having the information in the first place
ž XMLAccess Control is performed by
providing XML documents with a
sophisticated access control model by
applying appropriate encryption /
decryption transformation
13. XSLT
ž XSLT (eXtensible Stylesheet
Language Transformations) is a
W3C specification for a document
manipulation language capable of
restructuring documents and
performing computations on their
elements.
14. XML Security using XSLT
ž If we regard encryption/decryption as just
another XML document transformation
operation, then it is apparent that the
advantages XSLT
ž We propose a model to implement the
various XML security features using XSLT
thus making it possible for a standard XSLT
processor to provide XML security
functions.
16. Conclusion
ž XSLT processors remain as a standard
specification in the client side, the server side and
can be implemented anywhere in a business
application
ž Our proposal thus makes encryption / decryption
of an XML Document possible just by using a XSL
encrypting / decrypting document
ž The project thus extends the XSLT processor to
provide encryption and decryption functions and
implement an Access Control Model
ž For demonstration of the cryptographic capabilities
implemented using XSLT processor, a real world
application is developed using PHP
17. References
ž Kayvan Farzaneh; Mahmood Doroodchi, "XML Security
beyond XSLT," Innovations in Information Technology, 2006 ,
pp.1-5, Nov. 2006
ž Maruyama H. and Imamura T., “Element-Wise XML
Encryption”, April 2000.
ž W3C, “Extensible Markup Language (XML) 1.0 (Fifth Edition)
W3C Recommendation 26 November 2008”
ž W3C, “XSL Transformations (XSLT) Version 2.0 W3C
Recommendation 23 January 2007”
18. Thank You…
ž Read the research whitepaper here:
Slideshare.net
ž Like this presentation? Share it...
ž Questions? Tweet me @ahmedmzl
ž This presentation was presented at the National
Conference on Computational Intelligence and
Network Security, April 2009