[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: md5sum / sha1sum for XML?
Indeed. The accronym that I find most useful when thinking about security matters is CAIN :- (C)onfidentiality (message encryption at the transport or message (preferred) level) (A)uthentication/Authorisation (various types of secure token e.g. certs) (I)ntegrity (tamper-proofing - usually dig sig) (N)on repudiation (usually dig sig) So depending on what features you need (often more than one), select your poison. Fraser. On 14/07/06, Mitch Amiano <mitch.amiano@a...> wrote: > An encrypted file need not be signed at all, and a signed file need not > be encrypted. > The two things - signing and encrypting - are distinct operations. > One you do to ensure no one can read the data that shouldn't be reading it. > The other you do to ensure that no one has tampered with data that > shouldn't be tampered with, while not necessarily encumbering the > ability to read it. > > Now, I'm not a security expert. Someone with more experience in this > area may correct me on this, and could speak to the issue a bit more > practically. > > But encryption alone is insufficient. One reason is that someone might > well encrypt another file and substitute it for your original encrypted > package. With a signature, both you and the receiver can perform a > subsequent test that the signature and file still match up. Of course, > if the signature is also with the original data, and that's your only > copy, then someone could replace the signature too. Even if not, you or > the receiver could conceivably maliciously replace both the file and > the signature, thus creating an uncertainty about whose copy is authentic. > > Dave Pawson wrote: > > On Fri, 2006-07-14 at 13:21 -0400, Mitch Amiano wrote: > > > >> https lets you send the data within a stream of packets of encrypted data. > >> The signature gives you confidence that an unencrypted packet of data > >> hasn't been altered. > >> To take a document and encrypt it, so it is unreadable without > >> decrypting, you could use encryption software such as GNU Privacy Guard > >> or an API's crypt function. > >> > > > > Would this be prior to or after 'signing' it? > > If xml-sig is an analogy of an sha1sum, surely after? > > > > I guess a 'standard' crypt library is good enough for data protection > > act, due care etc; > > though I do need one for a Java client and Microsoft server (which > > doesn't make > > for an easy life :-) > > > > regards > > > > > > > > > ----------------------------------------------------------------- > The xml-dev list is sponsored by XML.org <http://www.xml.org>, an > initiative of OASIS <http://www.oasis-open.org> > > The list archives are at http://lists.xml.org/archives/xml-dev/ > > To subscribe or unsubscribe from this list use the subscription > manager: <http://www.oasis-open.org/mlmanage/index.php> > >
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|