XML Security Using XSLT
1 like1,310 views
The document discusses XML (Extensible Markup Language) and its security concerns, focusing on element-wise encryption and an access control model. It proposes extending XSLT (Extensible Stylesheet Language Transformations) processors to include cryptographic functions for secure XML processing. A real-world application developed in PHP illustrates these extended security features, emphasizing XML's capability for structured information and communication.
XML Security Using XSLT
- 2. Table of Contents ž Introduction ž XML (eXtensible Markup Language) ž XML Security — Element wise Encryption — Access Control Model ž XSLT (eXtensible Stylesheet Language Transformations) ž XML Security using XSLT ž Conclusion ž References
- 3. Introduction ž XML (eXtensible Markup Language) - the “love child” of W3C (World Wide Web Consortium) ž XML - Mainly used for B2B messaging ž Biggest concern for customer is security
- 4. Introduction (contd.) ž XML inherits transport layer security such as SSL as used in HTML for basic security ž Some security features of XML are beyond transport layer security ž This project addresses the specific security features of XML by — Describing an access control model & — Performing cryptographic transformations on it
- 5. Introduction (contd.) ž XSLT (eXtensible Stylesheet Language Transformations) ž XSLT may well have sufficient functionality to perform all reasonable cryptographic transformations. ž We extend the XSLT Processor to provide encryption and decryption functions ž We also implement a real world application in PHP, utilizing the cryptographic functions in the XSLT processor
- 6. XML ž XML is open standard for cross application communication ž XMLallows users to structure and label information separately from the presentation of that information. ž An XML document must adhere to particular syntax and semantics as outlined in XML Specification by W3C
- 7. XML (contd.) ž XML is generally parsed or manipulated using Document Object Model (DOM) ž DOM allows navigation of an XML document as if it were a tree with node objects as branches <payment type=card”> <issuer> Card Company A </issuer> <cardinfo> <name> ADAM ISHMAEL </name> <expiration> 04/2010 </expiration> <number> 5283 8304 6232 0010 </number> </cardinfo> </payment>
- 8. XML Security ž XML uses existing Transport Layer Security (TLS) mechanism such as SSL for basic end to end communication security ž TLS prevents eavesdropping, tampering, and message forgery between a client and server ž TLS doesn’t address some specific XML Security features such as: — Element Wise Encryption — Digital Signature and — Access Control
- 9. Element Wise Encryption ž Element-wise encryption allows the user to select the data fields to be encrypted ž Therefore,the remaining nonconfidential data fields will be readable. ž Instead of the encrypting an entire document, it is enough to encrypt only a part of it which should be confidential.
- 10. Element Wise Encryption (contd.) ž An Example: <payment type=card”> <issuer>Card Company A</issuer> <cardinfo> <name> ADAM ISHMAEL </name> <expiration> 04/2010 </expiration> <number> 5283 8304 6232 0010 </number> </cardinfo> </payment> ž Card Info Encrypted <payment type=card”> <issuer>Card Company A</issuer> <EncryptedElement contentType=”text/plain” algorithm=”DES” encoding=”base64”> PHJvdz4KICAglCAgPGNvbCBwYWNrZWQ9lmJhc2U2NCl+ </EncryptedElement> </payment>
- 11. XML Access Control Model ž Providing the right people with the right access to information is as important as having the information in the first place ž XMLAccess Control is performed by providing XML documents with a sophisticated access control model by applying appropriate encryption / decryption transformation
- 12. XML Access Control Model
- 13. XSLT ž XSLT (eXtensible Stylesheet Language Transformations) is a W3C specification for a document manipulation language capable of restructuring documents and performing computations on their elements.
- 14. XML Security using XSLT ž If we regard encryption/decryption as just another XML document transformation operation, then it is apparent that the advantages XSLT ž We propose a model to implement the various XML security features using XSLT thus making it possible for a standard XSLT processor to provide XML security functions.
- 15. XML Security using XSLT
- 16. Conclusion ž XSLT processors remain as a standard specification in the client side, the server side and can be implemented anywhere in a business application ž Our proposal thus makes encryption / decryption of an XML Document possible just by using a XSL encrypting / decrypting document ž The project thus extends the XSLT processor to provide encryption and decryption functions and implement an Access Control Model ž For demonstration of the cryptographic capabilities implemented using XSLT processor, a real world application is developed using PHP
- 17. References ž Kayvan Farzaneh; Mahmood Doroodchi, "XML Security beyond XSLT," Innovations in Information Technology, 2006 , pp.1-5, Nov. 2006 ž Maruyama H. and Imamura T., “Element-Wise XML Encryption”, April 2000. ž W3C, “Extensible Markup Language (XML) 1.0 (Fifth Edition) W3C Recommendation 26 November 2008” ž W3C, “XSL Transformations (XSLT) Version 2.0 W3C Recommendation 23 January 2007”
- 18. Thank You… ž Read the research whitepaper here: Slideshare.net ž Like this presentation? Share it... ž Questions? Tweet me @ahmedmzl ž This presentation was presented at the National Conference on Computational Intelligence and Network Security, April 2009