[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: The sky is falling! XML's dirty secret! Go back! It's a
Let me say a bit. I've been involved with security, crypto, PKI, for (too many) years. First, having the data tagged or not is not a security issue. Data thieves already *know* what they data they're looking for looks like: 123-45-6789 is probably a US social security number, 3141 5926 5358 9483 is probably a credit card number, and so on. It doesn't have to say <ccard type="amex">....</ccard> to stick out. Even more likely, however, is the likelihood that the thieves include someone inside the organization, who can get the data description. So even if there markup itself is little more than a comma separating fields, the bad guys will know where to look. As for encryption, the principal that "only the key (not the algorithm, etc.) is important" dates back to 1883 (Kerchoff). This means that knowing something is encrypted -- XML-ENC defines an <EncryptedData> tag -- is okay. And for modern cryptosystems, used properly, it is. > The question might be, is it possible that markup > leaves signposts in encrypted data that make them a security > risk? No. The attack mentioned elsewhere -- knowing the structure of the data might give hints -- is easily thwarted. XML-ENC allows you to insert a "nonce" -- a stream of random bytes -- at the beginning of the text to be encrypted. Hope this helps. /r$
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|