Archive for the ‘Web Services’ Category
XML Digital Signatures
Introduction:
XML digital signatures are a way to digitally sign an XML document so that the recipient is able to authenticate the Integrity of document. There has been enough literature in place dealing with the theoretical aspect of explaining digital signature and how are they useful in verifying the integrity of the document, this article will focus upon implementing the same using the Java XML digital signature API provided by SUN.
Brief Description of Java Digital Signature API:
Sun Microsystems provides a standard set of Java technology APIs to sign and verify XML and binary documents. The Java Community Process (JCP) program defined these APIs as JSR 105. Sun ships these APIs with the Java Web Services Developer Pack (JWSDP), Project GlassFish, and the Java Platform, Standard Edition (Java SE), version 6.
Brief Understanding of Digital Signature Protocol:
- In order to create a digital signature, the sender first generates a small unique thumb-print of the document, called a hash or digest. Even a very minor change to the original document will cause the hash value to change.
- The hash of the document is signed or encrypted with the sender’s private key acts as a digital signature for that document and can be transmitted openly along with the document to the recipient.
- The recipient will be able to verify or decrypt the signature by taking a hash of the message and verifying it with the signature by decrypting it with senders public key that accompanied the message.
- The signature is authentic. When the receiver verifies the message with the sender’s public key, the receiver knows that the sender signed it.
- The signature cannot be forged. Only the sender knows his or her private key.
- The signature is not reusable. The signature is a function of the document and cannot be transferred to any other document.
- The signed document is unalterable. If there is any alteration to the document, the signature verification will fail at the receiver’s end because the hash value will be recomputed and will differ from the original hash value.
- The signature cannot be repudiated. The sender cannot deny previous committed actions, and the receiver does not need the sender’s help to verify the sender’s signature.
We can divide the whole process of this sample implementation roughly in two parts (A) XML Signature creation and (B) XML Signature Validation. Depending upon the needs of the implementation these two parts can be plugged together. For example there can be a web-service implementation where a client can send sensitive XML data after digitally signing it and the server can then validate it based upon the digital signature it received from the client.
