About XML Digital Signatures

XML digital signatures are used for authentication and data integrity. It is designed to take advantage of the XML technology and the data transfer over the internet. With the XML digital signature it is possible to sign the specific portions of the XML document. Different parties could create different parts of the XML document and they sign those parts of the document at different times.

Data integrity for these portions is maintained by checking the digital signatures of these particular parts when a user is changing that portion of the XML document. When user who has access to this document is changing the default values the digital signature of that particular portion is made invalid.

Different types of resource can be signed with an XML digital signature. A signature can be used to validate different resources like HTML, JPG, or a XML encoded data. The data object which is signed originally should be accessible to verify the signature. It could be located anywhere else.

The XML document contains the location of the original data object against which the digital signature is verified. The location of the original data object could be referenced using an URI or it could be in the same resource or it could be embedded. This can said in other words as that the signature could be a sibling, parent, or child by itself.

The different tags or components that are included in the signature is given below. This information will give you an idea of the components that make up the signature.

<Signature>
<SignedInfo>
<CanonicalizationMethod>
<SignatureMethod>
<Reference>
<Transform>
<DigestMethod>
<DigestValue>
</Reference>
<SignedInfo>
<SignatureValue>
<KeyInfo>
<Object>
</Signature>

The <Reference> element has an URI attribute that locates the resource that is to be signed. There is an <Transform> element in the signature that gives the steps involved in processing the resource that is referenced. Before that element is digested this is done.

The element <DigestValue> has the value of the digest for the resource that is referenced. There is an element called the <SignatureValue> that is used for giving the value of the encrypted <SignedInfo> element. Every signature that is validated needs a key and there should be some element for indicated that key. There is a <KeyInfo> element for this purpose.

Creating an XML Signature has a series of steps involved. Before you create the digital signature you have to identify the resources for which the XML Digital Signature is to be created. This is the first step towards creating the XML Digital Signature.

Identifying the resources is through the URI. The URI that you use for referencing could point to an html file, or a gif image or an xml file. Within a file it could also point to a particular element or anchor. An example for these URI could be ‘http://www.yourwebsite.com/serverDir/page.xml#anch’.

The digest for each resource is calculated is calculated and that value is place in the element <DigestValue> which is a child element of the <Reference> element. The algorithm that is used to calculate the digest value is given in the attribute ‘Algorithm’ in the <DigestMethod> element which is also a child element of the <Reference> element. An example of code snippet at this stage would be something like,

<Reference URI=”the-uri-that-needs-to-be-digested”>
<DigestMethod Algorithm=http://www.w3.org/2000/09/xmldsig#shal/>
<DigestValue>XLDLBIta6EPO0vKtMup4NbeVu8nk</DigestValue>
</Reference>

Once you have all the references organized like this, you have to collect them under the tag <SignedInfo>. The <SignedInfo> tag has an <CanonicalizationMethod> element. This element has the canonized ‘signedinfo’ element. The elements should be canonized before they are represented for processing of the signature. This is done to avoid inaccurate results.

The algorithm that is used to produce the signature value is given in the <SignatureMethod> element’s ‘Algorithm’ attribute. Using that algorithm the <SignedInfo> element is digested and the resulting signature value is put in the <SignatureValue> element.

The <KeyInfo> element would have the information regarding the key which could be a public key that is used for the verification of the signature. This <KeyInfo> element is enclosed in the <Signature> element. This is how you have to create the digital signatures for the elements in the xml document.

After you have created them you have to verify them. for verifying the XML signature you have to recalculate the signature of the <SignedInfo> element by using the algorithm defined in the <SignatureMethod> element.

The signature value generated is compared to the value present in the <SignatureValue> element. Similarly the <DigestValue>’s values are also calculated using the appropriate algorithms and cross checked. This step confirms that the signatures are verified properly.

With the increase in the online transactions day by day there is a need for using such digital signatures to verify the authenticity of the documents that are involved in the transactions. To ensure the authenticity and the integrity we need to use such XML Digital Signatures. These are the evolving standards for the online transactions.