Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000010053792 | QA76.9.A25 E37 2003 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
As XML is more broadly used in both web sites and business applications, the need to insure security of XML based applications grows. Most books on XML have at best a chapter devoted to security issues, and there is only one other book currently on the market devoted exclusively to XML Security. This book will show developers all they need to know about how to use XML Digital Signatures to protect the integrity and authenticity of data, and how to use XML Encryption to control its confidentiality. The lead author is at the center of the IETF and W3C working groups formalizing the standards, so there is no one better qualified to write about them. The book will also appeal to networking/security professionals who need to start dealing with the impact of XML on network security.
Author Notes
Donald E. Eastlake III is a Distinguished Member of Technical Staff at Motorola
Kitty Niles is currently a freelance technical writer
Excerpts
Excerpts
This book explains the guts of XML Digital Signatures and XML Encryption. Along the way, it describes how you, as a designer, implementer, or evaluator of an XML application, can make use of these technologies. Using this book, a skilled reader can design and implement interoperable XML-based authentication and/or confidentiality mechanisms for his or her particular applications. The Extensible Markup Language (XML) is rapidly becoming the new standard in application-level computer communications. As its use spreads, mechanisms to assure the authenticity and confidential communication of XML documents and messages become essential. Material provided in this book minimizes needed prerequisite knowledge, although it requires general familiarity with computer concepts. For the reader not familiar with digital security or cryptology concepts, Part I includes a chapter covering these topics in the depth needed to understand the remainder of the book. For the reader not familiar with XML, Part II provides in-depth coverage of XML and related standards. This material provides not just the background needed for the rest of this book, but also enough general coverage that it should be helpful in understanding most XML applications and systems. Readers with sufficient knowledge in the areas covered can skip or skim this background material. After providing the introductory and background material in Parts I and II, the book covers the topics of XML digital signatures, XML encryption, and XML canonicalization in depth. This discussion includes specific formats and examples and covers keying material, combined use of signatures and encryption, algorithms, and profiling of signature use for particular applications. If your interest lies only in XML digital signatures or XML encryption, you can skip the chapters associated with the other topic. Any nontrivial use of XML Security, however, will require some familiarity with XML canonicalization, keying information, and the relevant algorithms. This book is firmly based on the official, adopted standards of the World Wide Web Consortium, Internet Engineering Task Force, and other relevant standards bodies when available. Additional material is based on the most recent drafts or informational documents available at the time of writing and the authors' personal knowledge and experiences. In general, we present areas of XML Security by giving an informal syntax with a skeletal example, followed by the formal syntax and then by a number of more complete examples. The material is organized so that the formal syntax and complete examples can be read in either order. Throughout the book, we include notes that might be of interest to the reader, where the authors either have some particular knowledge of the history involved or have some heretical opinion. Notations This book uses some special typographical notations to represent, present, and set off special kinds of information. These notations are described below. Boxes Throughout this book, you will find short sections of text set off in boxes. These come in three varieties: Note, History, and Soapbox. Note Items of particular importance are set off in Note boxes. Pay particularly close attention to such boxes when you encounter them. History The historical background and evolution of particular design decisions, terms, organizations, or policies are described in History boxes. Skipping them won't cause you to miss any technical content but you may find them illuminating. Soapbox Scattered throughout the book, these boxes consist of personal opinions and heretical comments. You can ignore them or, if you want, you can ignore the rest of the book and just read the Soapboxes. The name "soapbox" for heretical ravings comes from the use of actual wooden crates that had previously been used to ship soap as makeshift platforms by street-corner speakers. Character Sequences and Code Much of the discussion in this book needs to clearly specify character sequences and source code. In cases where a character sequence is relatively short (sometimes only one character) and confusion seems unlikely, the sequence appears intermixed with normal text but surrounded with double curly quotes. For example, "foo" is the three-character sequence of an "f" followed by two "o" characters RFC 3092. In some cases, the name of the character is followed by the quoted character in parentheses. For example, this sentence contains a comma (",") and ends in a period ("."). For longer character sequences or in cases where clarity is particularly important, the characters are set off on a separate line or lines in a fixed-width font and highlighted: foo The only exceptions involve tabular contexts or a series of lines or paragraphs, each of which starts with a special character sequence. In those cases, the character sequence just appears in bold face. Code is generally a larger character sequence intended for automated processing or a version of such a character sequence simplified for expository purposes, as in the skeletal XML given below. Code appears in the same way as longer character sequences but usually consists of multiple lines and may start with a one-line description followed by a blank line. Code example: Sections of code appear like this in a fixed-width font so exact spacing and line breaks can be indicated. This line starts with three spaces. In some cases, code has line numbers so that detailed comments in the text can be associated with particular lines. In such cases, "Lnn " has been added to the beginning of each line. The space after the closing bracket is part of the line numbering. Line Numbered Code example: L30Table of Contents
Preface | p. xvii |
Part I Introduction | p. 1 |
1. XML and Security | p. 3 |
2. Digital Cryptography Basics | p. 13 |
Part II XML Basics | p. 33 |
3. The Extensible Markup Language | p. 35 |
4. XML Document Type Definitions | p. 69 |
5. XML Schema | p. 87 |
6. XPath: A Basic Building Block | p. 99 |
7. URIs, xml:base, and XPointer | p. 123 |
8. SOAP | p. 145 |
Part III Canonicalization and Authentication | p. 167 |
9. XML Canonicalization: The Key to Robustness | p. 169 |
10. XML Signatures and Authentication | p. 207 |
11. Profiling XMLDSIG for Applications | p. 253 |
12. ETSI "Advanced" XML Signatures | p. 263 |
Part IV Keying | p. 293 |
13. The KeyInfo Element | p. 295 |
14. XKMS: XML Key Management | p. 319 |
Part V Encryption | p. 341 |
15. XML Encryption | p. 343 |
16. Combining Encryption and Signature | p. 371 |
Part VI Algorithms | p. 381 |
17. Overview of Algorithms | p. 383 |
18. Cryptographic Algorithms | p. 395 |
19. Non-cryptographic Algorithms | p. 421 |
Appendixes | p. 435 |
Appendix A XML Security Implementations | p. 437 |
Appendix B The W3C and W3C Documents | p. 453 |
Appendix C The IETF and IETF Documents | p. 459 |
Appendix D The NIST and NIST Documents | p. 465 |
Appendix E The Paper and Protocol Points of View | p. 469 |
Appendix F SOAP Encoding Schema | p. 481 |
References and Acronyms | p. 495 |
Index | p. 507 |