Home > Articles > Security > Network Security

Seven Steps to XML Mastery, Step 7: Ensure XML Security

By Frank Coyle
Aug 25, 2006

Contents

Page 1 of 8 Next >

XML, Web Services, and the Data Revolution

We’ve come a long way since the beginning of our journey toward XML mastery. In the last article of his series, Frank Coyle examines XML-related security issues. We begin by looking at the family of XML security standards and then move on to the threat of black-hat attacks and what you can do to safeguard your XML-based applications.

For more information about this series, start by reading Frank Coyle's introduction, Seven Steps to XML Mastery: About This Series.

As XML and web services play an increasingly important role in enterprise applications, security becomes a critical concern. Unfortunately, as any technology gains ascendancy, it draws the attention of black hat attackers, continuously on alert for opportunities to wreak havoc by stealing data or bringing servers to their knees. As XML finds its way into enterprise applications, it too finds itself in the crosshairs of attackers.

In this seventh and final step on the path to XML mastery, we look at the family of security-related XML standards, focusing on the two foundational XML security standards, XML Digital Signature and XML Encryption. We’ll examine some black-hat attacks that focus on XML and web services processing models, to see how WSDL, entities, and web services open up new attack possibilities by enterprising hackers.

Public Key Encryption

At the heart of XML security sits public key encryption technology, one of the major computer science contributions of the 20th century. Based on prime number theory, public key encryption solves a centuries-old security problem—how to keep a code secret. Spies go to great lengths to secure their secret codes, which if compromised can have dire consequences.

Public key encryption technology, also referred to as asymmetric key technology, is based on having two keys—one private, the other public. Both work in synchrony to encrypt and decrypt data. The private key is intended for only one person; the public key is open to the world. When a message is encrypted with the public key, only the private key can decrypt the message. This arrangement allows messages to be sent in secret to private-key owners. On the flip side, when a message is encrypted with a private key, only the public key can decrypt it. This setup provides authentication that the received message actually came from the owner of the private key. Figure 1 illustrates how public and private keys are used in practice.

Figure 1 Public key encryption is based on a dual-key system—one private and one public—that supports confidentiality and authentication.

Page 1 of 8 Next >

Recent Episodes

OnNetworking (Audio + Video)

Recent Episodes

See More Podcasts

#TuesdayTrivia: Spotlight on WP7 (Win a copy of Sams Teach Yourself Windows Phone 7 Application Development): By Emily Nave on May 2, 2012Comments; These days, what CAN'T a smartphone do? Microsoft is putting their own spin on things to help you experience "life in motion" when using your device. Instead of containing static application icons, the re-imagined Start screen features live Tiles showing real-time content updates.

What Apple and Every Apple Support Professional Must Do

By John Traenkenschuh on April 14, 2012Comments

The Flashback attack is a sign of more to come. Are you prepared to see your Apple computer (or those you support) as functional UNIX devices that require special skills?

Flashbacks On Your Mac?: By John Traenkenschuh on April 9, 2012Comments; Unless you live under a rock, by now, you should have learned about the Flashback trojan that has compromised over 600,000 Apple computers.

Care to learn what you can do? Read on...

See All Related Blogs