Safer XML (2/2) - exploring XML | WebReference

Safer XML (2/2) - exploring XML

Safer XML

Examples

We conclude with examples of XML Encryption and XML Signature. Here is an example of confidential credit card data that should be protected:

<creditcard>
  <holder>Michael Classen</holder>
  <data>
    <type>Eurocard/Mastercard</type>
    <number>4444 3333 2222 1111</number>
    <issuer>Deutsche Bank</issuer>
    <expires>12/02</expires>
  </data>
</creditcard>

Encryption

Encryption can be applied selectively, so here is the encrypted version of the credit card number only:

<creditcard>
  <holder>Michael Classen</holder>
  <data>
    <type>Eurocard/Mastercard</type>
    <number>
      <enc:encrypteddata type="http://www.w3.org/2001/04/xmlenc#Content"
        xmlns:enc="http://www.w3.org/2001/04/xmlenc#">
        <enc:cipherdata><enc:ciphervalue>ABCD...4711</enc:ciphervalue></enc:cipherdata>
      </enc:encrypteddata>
    </number>
    <issuer>Deutsche Bank</issuer>
    <expires>12/02</expires>
  </data>
</creditcard>

Encrypting the complete credit card data except the name:

<creditcard>
  <holder>Michael Classen</holder>
  <enc:encrypteddata type="http://www.w3.org/2001/04/xmlenc#Element"
    xmlns:enc="http://www.w3.org/2001/04/xmlenc#">
    <enc:cipherdata><enc:ciphervalue>A7C1...4B1D</enc:ciphervalue></enc:cipherdata>
  </enc:encrypteddata>
</creditcard>

Encryption of everything looks like this:

<enc:encrypteddata type="http://www.isi.edu/in-notes/iana/assignments/media-types/text/xml"
  xmlns:enc="http://www.w3.org/2001/04/xmlenc#">
  <enc:cipherdata><enc:ciphervalue>4B1D...A7C1</enc:ciphervalue></enc:cipherdata>
</enc:encrypteddata>

Signature

Signing the credit card info:

<sig:signature xmlns:sig="http://www.w3.org/2000/09/xmldsig#">
  <signedinfo>
    <sig:reference uri="#cc" />
  </sig:signedinfo>
  <sig:signaturevalue>4711...ABCD</sig:signaturevalue>
  <sig:object>
    <creditcard id="cc">
      <holder>Michael Classen</holder>
      <data>
        <type>Eurocard/Mastercard</type>
        <number>4444 3333 2222 1111</number>
        <issuer>Deutsche Bank</issuer>
        <expires>12/02</expires>
      </data>
    </creditcard>
  </sig:object>
</sig:signature>

Conclusion

A fair number of XML security standards strive for making the XML world as safe a place as the rest of computing has been in the past. While the implementations of these specifications are still in their early days, there is no doubt that the existing security measures can be adapted and carried forward to the XML world.


Produced by Michael Claßen

URL: http://www.webreference.com/xml/column72/2.html
Created: Jan 06, 2003
Revised: Jan 06, 2003