Abstract
One major challenge for digitally signing a document is the so called “what you see is what you sign” problem. XML as a meta language for encoding semistructured data offers new opportunities for a solution. The possibility for checking fundamental properties of XML-encoded documents (well-formedness, validity) can be used to improve the security of the signing process for such documents. In this paper we present an architecture for checking and signing XML documents on a smart card in order to enhance the control over the documents to be signed. The proposed architecture has successfully been used to implement a secure, smart card based electronic banking application for the financial transactions system FinTS.
Key words
Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Mark Bartel et al. XML-Signatur Syntax and Processing-W3C Recommendation 12 February 2002. W3C (World Wide Web Consortium), 2002.
John Boyer. Canonical XML, Version 1.0-W3C Recommendation 15 March 2001. W3C (World Wide Web Consortium), 2001.
Armin B. Cremers, Adrian Spalka, and Hanno Langweg. The Fairy Tale of ‘What You See Is What You Sign’-Trojan Horse Attacks on Software for Digital Signatures. In IFIP Working Conference on Security and Control of IT in Society-II (SCITS-II), Bratislava, Slovakia, June 2001.
Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 22(6):644–654, November 1976.
Henry S. Thompson et al. XML Schema Part 1: Structures-W3C Recommendation 2 May 2001. W3C (World Wide Web Consortium), 2001.
Paul V. Biron and Ashok Malhotra. XML Schema Part 2: Datatypes-W3C Recommendation 2 May 2001. W3C (World Wide Web Consortium), 2001.
James Clark, Steve DeRose. XML Path Language (XPath)-W3C Recommendation 16 November 1999. W3C (World Wide Web Consortium), 2001.
Tim Redhead and Dean Povey. The Problem with Secure On-Line Banking. In Proceedings of the XVIIth annual South East Asia Regional Conference (SEARCC’98), July 1998
Arnd Weber. See What You Sign. Secure Implementation of Digital Signatures. In Intelligence in Services and Networks: Technology for Ubiquitous Telecom Services (IS&N’98), Springer-Verlag LNCS 1430, 509–520, Berlin, 1998.
Audun Jøsang, Dean Povey, and Authony Ho. What You See is Not Always What You Sign. AUUG 2002-Measure, Monitor, Control, September 2002
Tim Bray et al. Extensible Markup Language (XML) 1.0 (Third Edition) W3C Recommendation 04 February 2004. W3C (World Wide Web Consortium), 2004.
John Cowan, Richard Tobin. XML Information Set (Second Edition) W3C Recommendation 4 February 2004. W3C (World Wide Web Consortium), 2004.
P. Buneman. Semistructured data. Tutorial in Proceedings of the 16th ACM Symposium on Principles of Database Systems, 1997
Hiroshi Maruyama et al. XML and Java: developing Web applications. Pearson Education. 2nd ed. 2002.
Makoto Murata, Dongwon Lee, and Murali Mani. Taxonomy of XML Schema Languages using Formal Language Theory. Extreme Markup Languages 2000, August 13–14, 2000. Montreal, Canada.
Boris Chidlovskii. Using Regular Tree Automata as XML Schemas. IEEE Advances in Digital Libraries 2000 (ADL 2000). May 22–24, 2000. Washington, D.C.
F. Neven. Automata theory for XML researchers. SIGMOD Record, 31(3), 2002.
The SAX Project, URL: http://www.saxproject.org/
IBM JCOP embedded security software. URL: http://www.zurich.ibm.com/jcop/
Sun Microsystems: JavaCard 2.1.1 http://java.sun.com/products/javacard
Global Platform Consortium: OpenPlatform 2.0.1’. URL: http://www.globalplatform.org/
FIPS PUB 140-2: Security Requirements For Cryptographic Modules, May 2001. URL: http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
JSR 173: Streaming API for XML. Java Community Process.
Janusz A: Brzozowski. Derivatives of regular expressions. Journal of the ACM, 11(4), 1964.
Ronald Rivest: The MD5 Message-Digest Algorithm, IETF RFC 1321, April 1992. URL: http://www.ietf.org/rfc/rfc1321.txt
National Institute of Standards and Technology: Secure Hash Standard, April 1995. URL: http://www.itl.nist.gov/fipspubs/fip180-1.htm
FINREAD. URL: http://www.finread.com/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer Science + Business Media, Inc.
About this paper
Cite this paper
Gruschka, N., Reuter, F., Luttenberger, N. (2004). Checking and Signing XML Documents on Java Smart Cards. In: Quisquater, JJ., Paradinas, P., Deswarte, Y., El Kalam, A.A. (eds) Smart Card Research and Advanced Applications VI. IFIP International Federation for Information Processing, vol 153. Springer, Boston, MA. https://doi.org/10.1007/1-4020-8147-2_19
Download citation
DOI: https://doi.org/10.1007/1-4020-8147-2_19
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4020-8146-0
Online ISBN: 978-1-4020-8147-7
eBook Packages: Springer Book Archive