Aleksey Sanin: XMl Security Standards in the Real World


Aleksey Sanin is talking about How to Use XML Security Standards in the Real World. He's going to speak on W3C XML Security specifications, the XML security library, and practical tips for XML security.

XML security specifications provide fine grained security for XML documents. XML Canonicalization (is that a word) provides a way to create a single XML document in the face of ambiguous XML formatting. For example, attribute order doesn't matter in XML, but it does if you're going to check signatures. Aleksey recommends the Exclusive C14N algorithm. The XML digital signature standard defines the schema for aggregating the signature algorithm name, the signed information, the signature value, and the key information in an XML structure that can be embedded in other XML documents (like SOAP headers). The XML Encryption standard aggregates the encryption algorithm name and reference, the key information, the cipher data (i.e. the encrypted data) and the encryption properties.

Aleksey has written a toolkit called XML Security Library that implements these standards in C and C++. There are other libraries from Microsoft, Apache, Baltimore Technologies, IBM, and Phaos Technology Corp. XML Security Library is open source. XML Security Library can support OpenSSL, GnuTLS, NSS, and practically any cryptographic library.

Aleksey offers some tips for using XMl security:

  • Check what was actually signed
  • Limit the allowed digest, signature, encryption and transform algorithms
  • Limit key sources
  • Check URLs and other references