A brief introduction to XML security overview and canonicalization with examples

1. XML Security &
Canonicalization

2. Security Overview
1

3. The 3 pillars of secure E-
commerce
Confidentiality:
Ensuring that information
is not made available or
disclosed to
unauthorized individuals,
entities, or processes.
Authentication
The ability to determine
that a message really
comes from the listed
sender
Data integrity
Ensuring that when
information arrives at its
destination it hasn't been
tampered with or altered
in transit from its original
form, either accidentally
or deliberately.
3

4.  These three dimensions of secure e-commerce rest on a foundation of
cryptography.
 All cryptography operates according to the same basic principle.
 Approaches to cryptography fall into two main categories:
 single-key encryption- which relies on a single secret key to encode and
decode information.
 public-key cryptography- which uses two keys, one private and the other
public, to encode and decode data.
4

5. Single-key cryptography does not
scale to the Web. Do you agree?
5

6. Public-key cryptography
 Public-key cryptography is based on complementary public and
private keys.
 It enables secure communication between parties without the need
to exchange a secret key .
 It is the basis for privacy, authentication, data integrity, and
nonrepudiation, the basic elements for any Web-based e-commerce
system.
 The complementary public and private keys can be used to handle
confidentiality and authentication. Each requires key usage in a
slightly different way.

7. Confidentiality and
Authentication using keys.
◇ Confidentiality in digital
communication can be
accomplished by using
someone's public key to
send a message.
◇ Encrypting with a public
key ensures
confidentiality.
◇ Encrypting with a private
key ensures
authentication.
◇ messages encoded with
the private key can be
decoded only by the
public key, thereby
ensuring authentication.

8. Public-key (asymmetric) cryptography uses mathematically generated public and private keys.

9. Data Integrity
◇ Data integrity ensures that the message received is the message
sent.
◇ The technology for validating messages is called digital hashing.
◇ A digest or digital hash is an algorithmically generated short string
of characters that uniquely characterizes a document.
◇ Thus, to test the integrity of a document, one compares the digital
hash of the original document with that of the version received;
◇ if the hashes do not match, the data integrity of the document has
been compromised.
◇ Although it's theoretically possible for two different documents to
generate the same digital hash, it's practically impossible to use
this fact to defeat the comparison procedure.
9

10. Data Integrity
◇ A document digest is an
algorithmically generated,
abbreviated, unique representation
of a document. If one character of
the document is altered, the
document digest will be different.
10

11. Canonicalization
2

12. Need of canonicalization
◇ The purpose of finding the canonical (or simplified) form of
an XML document is to determine logical equivalence
between XML documents. W3C has defined
canonicalization rules such that the canonical form of two
XML documents will be the same if they are logically
equivalent.
◇ Whenever we are required to determine whether two XML
documents are logically equivalent, we will canonicalize
each of them and compare the canonical forms octet-by-
octet. If the two canonical forms contain the same
sequence of octets, we will conclude that the two XML files
are logically equivalent.

13. steps to canonicalize an
XML document
◇ Encoding Scheme
◇ Line Breaks
◇ Attribute values are
normalized
◇ Double qu'ôtes for
Attribute values
◇ Special Characters in
Attribute Values and
Character Content
◇ Entity References
◇ Default Attributes
◇ XML and DTD
declarations
◇ White Space outside the
Document Element
◇ White Space in Start and
End Elements
◇ Empty Elements
◇ Namespace Declarations
◇ Ordering of Namespace
Declarations and
Attributes
13

14. 14
◇ Encoding Scheme
 The canonical XML specification dictates that the canonical form of XML documents
should be encoded in UTF-8 encoding. Therefore, if the XML file to be canonicalized
has any other encoding, it should be changed to UTF-8.
◇ Line Breaks
 XML files are all simple text files, therefore #xA and #xD are used as line breaks in all
XML files.
 The canonical form of XML requires that all line breaks be replaced with #xA. This
should be done before starting to process the XML file.
◇ Attribute values are normalized
 Ensuring that when information arrives at its destination it hasn't been tampered with or
altered in transit from its original form, either accidentally or deliberately.

15. Double quotes for Attribute values:Only double quotes should be
used to encapsulate attribute values in canonical form.
Special Characters in Attribute Values and Character Content:
The Canonical XML specification requires that all special characters
(e.g. double quotes) in attribute values and element content be
replaced with character entities (e.g. " for double quotes)
Entity References: Canonical XML requires that all entity
references be replaced with the content represented by the entity .
Default Attributes: Canonical XML requires that default attributes
should be included in the canonical XML form.
XML and DTD declarations: Canonical XML does not require XML
and DTD declarations. Therefore XML and DTD declarations should
be removed in the canonical form.
15

16. See the difference!

17. White Space outside the Document Element: A Canonical XML
document starts with the '<' character. This means that there should be
no white space before the first node.
White Space in Start and End Elements:
Start and End elements should have normalized white space in
canonical form. This means there should be:
• No white space between the left angle bracket ('<') and the name of
a start element. Similarly there should be no space between a slash
('/') and the name of an end element.
• A single #x20 character between the element name and the first
attribute name, if present.
• No white space before and after the equality sign in attribute-value
pairs.
• A single #x20 character between attribute-value pairs.
• No white space following the closing double quote of the last
attribute's value.
• If there are no attributes, there should be no white space between
the element name and the right angle bracket '>'.

18. Empty Elements: Canonical XML requires start-end tag pairs for
all elements, which includes empty elements as well.
Therefore, all empty elements of the form <emptyElement/>
need to be converted to <emptyElement></emptyElement>.
Namespace Declarations: Canonical XML requires preserving
all namespace declarations as such (along with the
namespace prefixes) except superfluous namespace
declarations.
Ordering of Namespace Declarations and Attributes:
Canonical XML requires the inclusion of namespace
declarations and attributes in ascending lexicographic order.
Inside an opening element, all namespace declarations should
appear first, followed by the attribute-value pairs.
18

19. XML code before
canonicalization
After canonicalization

20. Thanks!
Any questions?
20