Customer Reviews

Secure XML: The New Syntax for Signatures and Encryption

5 star:		(8)
4 star:		(0)
3 star:		(0)
2 star:		(0)
1 star:		(0)

 

 

Suppose you have XML data that you want to regularly
send to Bob, across the Internet. But it is of a
confidential nature, so you don't want to send it as
plaintext. Well, you can try using low level
encryptions, like SSL or TLS. But these don't give any
authentication, ie. Bob can't tell that you actually
sent them. Also, once Bob gets the messages, they are
all in plaintext, so he can't easily protect these
against others, if he is on a multiuser computer.

One answer is to incorporate encryption into XML, by
defining cryptographic standards that sit atop XML,
and generate XML documents with encrypted data. These
let you and Bob use powerful XML-based routines like
XPath, XLink and XPointer. Plus, you can now do things
like append your digital signature to your plaintext
file, encrypt the combination with Bob's public key,
and get a resultant XML document that you can send
Bob. Upon receipt, he can decrypt it and verify that
you are the author, all the while dealing with XML
documents.

This book explains the emerging XML standards that
make this possible. They discuss at a high level the
various cryptographic algorithms, like AES [Advanced
Encryption Standard], Diffie-Hellman and MD5. Little
mathematics is needed, as they leave the mechanics of
the algorithms to other books. Instead, they describe
the XML infrastructure that uses these.

The book has a necessarily comprehensive description
of canonicalisation; which refers to the rewriting of
an XML document in a standard form, prior to
encryption. Otherwise two semantically identical
documents would give different ciphertexts, which is
confusing.

If you have been wondering if you should encrypt your
XML documents, and how to do so, this book may clarify
many issues.

The book Secure XML is an authoritative guide to learn about XML and issues involved with XML security. This book is organized and written to help you understand, design and develop secure XML applications.

The book is divided into 6 parts. The first part introduces the XML and the world of digital cryptography. The next section in the book makes sure you know all the necessary details on XML and family of standards. The second part covers XML basics, Namespaces, DTDs, Schemas, XPath, XPointer and SOAP.

The next four parts focus on XML security related details, covering XML digital signatures, XML encryption, and XML canonicalization. Part III deals with authentication - that is digital signatures, message authentication codes, etc. Part IV talks about XKMS (XML Key Management System) and illustrates implementing cryptographic security using keys. Part V discusses XML Encryption in great detail. And finally, the part VI presents various cryptographic and non-cryptographic algorithms.

In summary, this is a perfect book that provides reliable solutions for securing XML and for safeguarding information flow across today's sophisticated Web.

In researching business requirements for enterprise web services, it soon became obvious that XML security would be an important issue.

I happened across this book, with a seemingly simple format and am impressed with the information it provides, the progression of information, and how well I was able to understand and comprehend the concepts detailed.

After reading serveral books on XML in general, I would recommend this book to anyone just wanting to learn XML concepts.

I wish more technical books gave me the same feeling of usefulness that this one gave me.

As they say in the movie industry... "An enthusiastic thumbs up"

Collaboratively written by Donald Eastlake (Co-chair of the joint IETF/W3C XML Digital Signature working group) and freelance technical writer Kitty Niles, Secure XML: The New Syntax for Signatures and Encryption is a solid, accessible, step-by-step guide to the processes for encrypting and ensuring security of XML applications. Individual chapters competently address canonicalization and authentication, encryption, cryptographic and non-cryptographic algorithms, and much, much more. Highly recommended for advanced XML users, Secure XML is a comprehensive, technically proficient, and detailed instructional resource and reference filled from cover to cover with extensive discussion and practical examples.

Want to use XML for a security application, but feel oppressed by the stack of standards? Get lost trying to think about digital signatures and XML canonicalization at the same time? This is the book for you. It covers security and is a guide to the inter-related standards for XML; with it you'll be able to create XML documents and add security enhancements without being devoured by the Minotaur of exceptions. You'll also be able to make full use of the fine-grained security mechanisms for digital signatures, authentication, and encryption.

The authors pull off a neat trick in being able to introduce basic material, exposition and diagrams, side commentary, and still follow the top-down structure of the several standards documents on which this technology is built.

Keep this book with you at all times when you enter the XML security world.

This book is actually two books - a thorough technical discussion of XML, SOAP and related technologies, and a detailed description of security infrastructures based on cryptography, digital signatures and encryption. As such it's best suited for two audiences: (1) enterprise security experts who understand the security infrastructure, but who lack a working knowledge of XML (or web services as a whole), and developers and architects who may be thoroughly familiar with XML, but who need to understand security as it applies to XML and related protocols and services. Neither audience may be completely satisfied with the book because half of the material will be too basic. However, it does draw together two groups - security and development - that need to work closely together.

What I like about the book is the clear writing and copious use of illustrations. In fact, the illustrations are a highlight because they help to convey complex topics that would have taken many more pages to explain with text alone (as well as put one to sleep). More importantly, the information is technically accurate, especially with respect to the security-related chapters. It's apparent that the authors know both XML and security exceptionally well.

I also like the comprehensive coverage of both XML (and related technologies) and security, and how the authors take each in insolation, then tie them together into a coherent explanation of how to achieve XML security. This is no small feat, and is also why much of the material in the book may seem too basic or redundant to some readers.

In addition to clear, accurate information the authors are not reticent about expressing views that run counter to mainstream wisdom, which is refreshing and, at times, amusing. Moreover, they do not hesitate to point out weaknesses in any of the technologies discussed in the book.

In my opinion this is an important book that is wide in scope, yet manages to seamlessly cover technical issues that are of interest to two widely different groups (security practitioners and architects/developers).

When you read the XML specification, you will notice that it contains no notion of security. Critical security functionalities such as encryption, digital signatures, and authentication are simply not part of the XML standard. XML is similar to many other protocols, languages, and operating systems in that it was originally developed without any thought to security and privacy. It is only after serious security vulnerabilities are discovered and publicized that they are patched. But this find, patch, fix mentality of information security is dangerous in that security problems can exist for months or years before they are found.

Similarly within XML, much of the security functionality has been added post- facto, namely in Canonical XML, XML Signature, and XML Encryption Syntax and Processing. By adding security to the core feature set of XML, the W3C has ensured that,
to a degree, the find, patch, fix method won't be the manner in which XML security is developed. A good reference book can help you navigate this XML security landscape.

Topics such as authentication, encryption, XML signatures, algorithms, and keying are discussed. For the most part, the bulk of XML security is covered.

Donald Eastlake, the lead author of Secure XML: The New Syntax for Signatures and Encryption, is the co-chairman of the joint IETF/W3C XML Digital Signature working group, a member of the W3C Encryption and W3C XML Key Management System working groups, and co-author of the XML Digital Signature, XML Encryption, and XML Exclusive Canonicalization standards. It is clear that Eastlake lives and breathes XML. As Eastlake is a writer of numerous W3C XML standards, and standards are often written in a terse and abstract manner; his book has a slightly stiffer writing style than XML Security. If you can get over this style, you can appreciate the comprehensive and uthoritative look at XML the book provides from one of the key architects of the syntax.

Secure XML covers and details every XML security feature. Also, it spends a lot of time giving examples of syntax and language use. This is especially so in chapter 9, XML Canonicalization - The Key to Robustness. Canonicalization is the extraction of the standard form of some data and the discarding of insignificant aspects of the data's surface representations. The book notes that getting the right canonicalization is one of the most important, yet difficult aspects of digital authentication within XML. Chapter 10 goes into great detail about XML signatures and authentication. The chapter gives numerous code examples of various contexts, schemas, and elements that readers can use on their own XML servers. Chapter 10 also has numerous notes and historical information about XML security with information that can't be found elsewhere.

I have spent many hours on WS-Security, and this book was what finally got me up to speed on XML security.

Don Eastlake is an old IEFT head. He did a great job with this book both in completeness and explanation. It is complete in that he covers everything. The explanations are clear with good examples.

I would note in passing, however, that you should consider the use of Fast Infoset, where the XML instance documents are replaced by ASN.1 instance documents. That is, if you serialize and deserialize based on an XSD, you are usually better off using the Fast Infoset approach. This can have an improvement of 40% smaller instance documents and 40% faster processing. This is a big win. See "Fast Infoset" in the Wikipedia. ASN.1 security is trivial because the RSA PKCS CMS specifications are all in ASN.1, using digitial signatures and encryption.