Posts Tagged cryptography
A digital signature is a cryptographic value that enables a recipient to verify the source and validity of
an incoming message. XML Signature defines an XML syntax for digital signatures.
When you enable SOAP header processing for a particular virtual service, the ACE XML Gateway
validates XML signatures in incoming messages received at the interface defined by the object. If a
signature does not match the element that is signed, the message is rejected.
Signature validity may not alone ensure message integrity—the signature could have been generated
using any certificate, including one issued by an untrusted source. If using XML Signature as part of
your implementation strategy, you should also specify which Certificate Authorities you want to be
trusted, and direct the ACE XML Gateway to accept only signatures generated with certificates issued
by those trusted CA.
Enabling header processing causes signatures to be validated if present in an incoming message (and
causes messages with invalid signatures to be blocked), but it doesn’t require a message to have a
The final step in configuring XML Signature, therefore, is specifying the elements of the incoming
message that must be signed. In the policy configuration, you can require a signature covering one or
- the message timestamp (a common practice in Web service implementations).
- the first element below the SOAP body.
- a particular element you specify by XPath. Each XPath expression you specify must resolve to a
signed XML element whose signature must be valid for the ACE XML Gateway to accept the
XML digital signatures will enable a sender to cryptographically sign data, and
the signatures can then be used as authentication credentials or a way to check
data integrity. XML signatures can be applied to any XML resource, such as XML,
an HTML page, binary-encoded data such as a gif file, and XML-encoded data. The
standout feature of the XML digital signature is its ability to sign only specific
portions of the XML document.
This article will now discuss the three types of XML signatures:
An enveloped signature is the signature applied over the XML content that
contains the signature as an element. The signature element is excluded
from the calculation of the signature value. The signed XML element in
Figure 1 represents the signed XML resource fragment. Click here to look
at a sample SOAP message with an enveloped signature.
Figure 1: Enveloped Signatures
An enveloping signature is the signature applied over the content found within
an Object element of the signature itself. The object or its content is
identified through a Reference element by way of a Uniform Resource Identifier
(URI) fragment identifier or transform. The signed XML element in Figure 1
represents the signed XML resource fragment.
Figure 2: Enveloping Signatures
A detached signature (see Figure 3) is the signature applied over the content external
to the Signature element, and it can be identified by way of a URI or a transform. The
signed XML resource can be present within the same document as the Signature element,
or it can be external to the XML document. Click here to look at a sample SOAP message
with a detached signature.
Figure 3: Detached Signatures
Before exploring quantum key distribution, it is important to understand the state
of modern cryptography and how quantum cryptography may address current
digital cryptography limitations. Since public key cryptography involves complex
calculations that are relatively slow, they are employed to exchange keys rather
than for the encryption of voluminous amounts of date. For example, widely
deployed solutions, such as the RSA and the Diffie-Hellman key negotiation
schemes, are typically used to distribute symmetric keys among remote parties.
However, because asymmetric encryption is significantly slower than symmetric
encryption, a hybrid approach is preferred by many institutions to take advantage
of the speed of a shared key system and the security of a public key system for
the initial exchange of the symmetric key. Thus, this approach exploits the speed
and performance of a symmetric key system while leveraging the scalability of a
public key infrastructure.
However, public key cryptosystems such as RSA and Diffie-Hellman are not
based on concrete mathematical proofs. Rather, these algorithms are
considered to be reasonably secure based on years of public scrutiny over the
fundamental process of factoring large integers into their primes, which is said to
be “intractable”. In other words, by the time the encryption algorithm could be
defeated, the information being protected would have already lost all of its value.
Thus, the power of these algorithms is based on the fact that there is no known
mathematical operation for quickly factoring very large numbers given today’s
computer processing power.
Secondly, there is uncertainty whether a theorem may be developed in the future
or perhaps already available that can factor large numbers into their primes in a
timely manner. At present, there is no existing proof stating that it is impossible
to develop such a factoring theorem. As a result, public key systems are thus
vulnerable to the uncertainty regarding the future creation of such a theorem,
which would have a significant affect on the algorithm being mathematical
intractable. This uncertainty provides potential risk to areas of national security
and intellectual property which require perfect security.
In sum, modern cryptography is vulnerable to both technological progress of
computing power and evolution in mathematics to quickly reverse one way
functions such as that of factoring large integers. If a factoring theorem were
publicized or computing became powerful enough to defeat public cryptography,
then business, governments, militaries and other affected institutions would have
to spend significant resources to research the risk of damage and potentially
deploy a new and costly cryptography system quickly.