Secure Web Forms with Client-Side Signatures

Similar documents
<put document name here> 1/13

Agenda IBM Workplace Forms

Some more XML applications and XML-related standards (XLink, XPointer, XForms)

XML Metadata Standards and Topic Maps

KINGS COLLEGE OF ENGINEERING 1

IT2353 WEB TECHNOLOGY Question Bank UNIT I 1. What is the difference between node and host? 2. What is the purpose of routers? 3. Define protocol. 4.

IT6503 WEB PROGRAMMING. Unit-I

XML Applications. Introduction Jaana Holvikivi 1

IBM LOT-985. Developing IBM Lotus Notes and Domino(R) 8.5 Applications.

IBM A Assessment: Developing IBM Lotus Notes and Domino 8.5 Applications.

Chapter 10 Web-based Information Systems

XML for Java Developers G Session 8 - Main Theme XML Information Rendering (Part II) Dr. Jean-Claude Franchitti

Agenda. Summary of Previous Session. XML for Java Developers G Session 6 - Main Theme XML Information Processing (Part II)

Programming Web Services in Java

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Design and Implementation of a RFC3161-Enhanced Time-Stamping Service

A tutorial report for SENG Agent Based Software Engineering. Course Instructor: Dr. Behrouz H. Far. XML Tutorial.

Introduction to XML. XML: basic elements

Delivery Options: Attend face-to-face in the classroom or remote-live attendance.

Oral Question Bank for CL-3 Assignment

DICOM Structured Reporting: Implementation Experience

Introduction to XML. Asst. Prof. Dr. Kanda Runapongsa Saikaew Dept. of Computer Engineering Khon Kaen University

SHAREPOINT-2016 Syllabus

Rich Web Application Backplane

AlphaTrust PRONTO - Transaction Processing Overview

Delivery Options: Attend face-to-face in the classroom or via remote-live attendance.

Call: SharePoint 2013 Course Content:35-40hours Course Outline

CSI 3140 WWW Structures, Techniques and Standards. Representing Web Data: XML

Smart Browser: A framework for bringing intelligence into the browser

UELMA Exploring Authentication Options Nov 4, 2011

Introduction to XML 3/14/12. Introduction to XML

FOR MORE PAPERS LOGON TO

Programming the World Wide Web by Robert W. Sebesta

Inf 202 Introduction to Data and Databases (Spring 2010)

Java Framework for Database-Centric Web Site Engineering

IBM Forms V8.0 IBM Forms Classic - Forms Designer IBM Corporation

Security Digital Certificate Manager

IBM. Security Digital Certificate Manager. IBM i 7.1

Keys to Web Front End Performance Optimization

Agenda. Summary of Previous Session. XML for Java Developers G Session 7 - Main Theme XML Information Rendering (Part II)

Data Querying, Extraction and Integration II: Applications. Recuperación de Información 2007 Lecture 5.

This course is designed for web developers that want to learn HTML5, CSS3, JavaScript and jquery.

Markup Languages SGML, HTML, XML, XHTML. CS 431 February 13, 2006 Carl Lagoze Cornell University

Manipulating XML Trees XPath and XSLT. CS 431 February 18, 2008 Carl Lagoze Cornell University

Shankersinh Vaghela Bapu Institue of Technology

Internet Standards for the Web: Part II

COMP9321 Web Application Engineering

COMP9321 Web Application Engineering

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

COMP9321 Web Application Engineering

AIM. 10 September

Trustworthy Verification and Visualisation of Multiple XML-Signatures

Public. Atos Trustcenter. Server Certificates + Codesigning Certificates. Version 1.2

Tennessee. Trade & Industrial Course Web Page Design II - Site Designer Standards. A Guide to Web Development Using Adobe Dreamweaver CS3 2009

HTML 5 and CSS 3, Illustrated Complete. Unit L: Programming Web Pages with JavaScript

MyMobileWeb project's position

INDEX. Drop-down List object, 60, 99, 211 dynamic forms, definition of, 4 dynamic XML forms (.pdf), 80, 89

Digitalisation and electronic signatures

SRI VIDYA COLLEGE OF ENGINEERING & TECHNOLOGY- VIRUDHUNAGAR

COMP9321 Web Application Engineering. Extensible Markup Language (XML)

Introduction to the Internet and World Wide Web p. 1 The Evolution of the Internet p. 2 The Internet, Intranets, and Extranets p. 3 The Evolution of

Alpha College of Engineering and Technology. Question Bank

SSH Communications Tectia SSH

1 CUSTOM TAG FUNDAMENTALS PREFACE... xiii. ACKNOWLEDGMENTS... xix. Using Custom Tags The JSP File 5. Defining Custom Tags The TLD 6

XML: Introduction. !important Declaration... 9:11 #FIXED... 7:5 #IMPLIED... 7:5 #REQUIRED... Directive... 9:11

XML Data Scenarios. II. Data and Documents. University of California Extension Sunnyvale, June 10, Jon Bosak Sun Microsystems

Govt. of Karnataka, Department of Technical Education Diploma in Computer Science & Engineering. Fifth Semester. Subject: Web Programming

COPYRIGHTED MATERIAL. Contents. Part I: Introduction 1. Chapter 1: What Is XML? 3. Chapter 2: Well-Formed XML 23. Acknowledgments

Microsoft SharePoint Designer 2010

Exam Name: IBM Forms 4 - Form Design and Development

WebDev. Web Design COMBINES A NUMBER OF DISCIPLINES. Web Development Process DESIGN DEVELOPMENT CONTENT MULTIMEDIA

Extreme Java G Session 3 - Sub-Topic 5 XML Information Rendering. Dr. Jean-Claude Franchitti

E-cash. Cryptography. Professor: Marius Zimand. e-cash. Benefits of cash: anonymous. difficult to copy. divisible (you can get change)

The Business Value of Open Standards. Michael(tm) Smith

MAIL PLUGIN FOR IBM MASHUP CENTER

MarkLogic Server. Information Studio Developer s Guide. MarkLogic 8 February, Copyright 2015 MarkLogic Corporation. All rights reserved.

Repository In a Box (RIB)

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

IBM i Version 7.2. Security Digital Certificate Manager IBM

web.xml Deployment Descriptor Elements

1.264 Lecture 13 XML

Etanova Enterprise Solutions

x ide xml Integrated Development Environment Specifications Document 1 Project Description 2 Specifi fications

SDMX self-learning package XML based technologies used in SDMX-IT TEST

Implementing Electronic Signature Solutions 11/10/2015

Abstract. 1. Introduction

UI Course HTML: (Html, CSS, JavaScript, JQuery, Bootstrap, AngularJS) Introduction. The World Wide Web (WWW) and history of HTML

XML Processing & Web Services. Husni Husni.trunojoyo.ac.id

Niagara 3.7 New Feature Review

VSP18 Venafi Security Professional

ibreathesports Inc. Apurva Alok Bernardo Silva

CS142 Winter 2017 Midterm Grading Solutions and Rubric

Introduction to Web Technologies

XFormsDB: An Extensible Web Application Framework Built upon Declarative W3C Standards

esign - Evolving Opportunities and Applications C E N T R E F O R D E V ELOPMENT O F A D VANCED C O MPUTING N O V E M B E R 1 5,

Structured documents

A Web-based XML Schema Visualizer José Paulo Leal & Ricardo Queirós CRACS INESCPORTO LA

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

DOWNLOAD OR READ : XML AND XSL TWO 1 HOUR CRASH COURSES QUICK GLANCE PDF EBOOK EPUB MOBI

Configuring SSL CHAPTER

Transcription:

ICWE 2005 Secure Web Forms with Client-Side Signatures Mikko Honkala and Petri Vuorimaa, Finland Mikko.Honkala -at- hut.fi

Outline of the talk Introduction to Secure Web Forms Research Problem and Use Cases Requirements for the Signature Scheme Design and Implementation Use Case Implementation Discussion and Related Work Conclusions

Introduction Commerce and communication tasks are becoming popular in the World Wide Web (WWW) Web is transforming from a platform for information access into a platform for interactive services Secure transactions with client-side authentication and signature are needed in many cases Banking, e-commerce, secure e-mail, contracts Securely tracking workflows

What You See Is What You Sign Capability to express the signature over everything that was represented to the user Important, but often overlooked property of digital signing applications Some schemes go as far as including screen captures with the signature However, this may be impossible to process with subsequent software Better solution is to include everything that affected, what the user saw: Content, Images, stylesheets, etc.

Research Problem How to create legally binding secure services in the WWW? Secure transmission already working (SSL), but does not support the notion of client-side signatures Main problem is to enable WWW services to allow digital signatures over the the user s input Ensure that the user has a clear understanding what she is signing Ensure full reconstruction of the signed form, when validating the signature

Use Cases 1. Single form. The user downloads a form (e.g. an email to be written), interacts with it and then selects a signing key, signs the form and then sends it to the server for processing. 2. Form approving. A signed form is sent to a supervisor, who adds some data, and then signs it. 3. Multiparty form. Multiple parties are filing a single insurance claim. It should be possible to add new parties and attachments, but each of the parties signature must not allow changes in the core information of the claim form.

Use Case 3: Multiparty form

Requirements for Signature Security Client-side: The signature must be generated client-side so that the user can check the signature validity before submitting. Also, support for signing with secure smart card must be supported. Common algorithms: The signature must be generated using common, trusted, algorithms for maximum security. Signed form reconstruction: It must be possible to reconstruct the signed form in case of dispute.

Requirements for Signature Coverage In order to fullfill the WYSIWYS principle, these parts must be signed User input: The data user inputted through the form. UI: The UI document, which describes the layout of the form. All referenced data: Stylesheets, images, objects, applets, scripts, schemas, external instances, etc. The user agent info: Information about the user agent.

Additional Requirements Complex signature support: Support for complex signing scenarios. Partial signature: Support signing only part of the form. Multiple signatures: Support multiple signatures within one form. Form language integration Ease of authoring: Provide as easy syntax as possible for authors. Ease of implementation: Use of off-the-shelf libraries should be possible. Modality and host language independence: The design should beindependent of modality and host language.

Design Decisions XHTML+CSS+XForms was chosen as the form language Good support for the XHTML+CSS layout in browsers XForms is device-independent XForms does not require scripting state of the form is encoded in an XML instance XML Signature was chosen as the signature description, transmission, and processing language Ability to add XML objects inside the signature Ability to sign external URL references (using hash value of the referenced content) Supports different kinds of signatures, hash and signature algorithms

XForms W3C s next-generation Web forms language Based on existing powerful XML technologies Separates model/view The state of the form is preserved in the model Uses a declarative programming approach No scripting needed

XML Signature XML Signature is a W3C specified XML format for describing digital signatures The specification also defines normative processing rules for signature creation and validation

Design Integration of XForms and XML Signatures standards Main design goal was to keep it simple to both authors and implementers Two extensions to XForms language <sign> action element, which is an XML Events handler signature-ready DOM event Procedures for signature creation and validation defined

Process Description

Signature Creation User stylesheets are disabled Only top-level windows can be signed An enveloped signature (with Signature element as root) is created The instance data of XForms is copied and embedded inside Object elements All references to URLs are included in the signature as detached references The host document All referenced URLs separately: images, objects, applets, stylesheets, scripts, XForms external instances, xinclude, xlink, XSLT A valid signature is created over all references

Document With External References

Created Signature Structure

Signature Validation 1. Find the Signature element from the submitted instance data. 2. Check that public key corresponds to the users identity. 3. Validate the Signature element according to the XML Signatures' core validation rules. 4. Do application-specific validation of all resources. For detached references, check that the URL is correct. For enveloped resources, application-specific logic must be included in the validation. 5. The Signature is accepted if none of the checks fails.

XML Example Extremely simple to add a signing action to a form: <trigger> <label>sign message</label> <sign:sign to="instance( signature )/.." ev:event="domactivate"/> </trigger>

Implementation A new signature component was created for the browser That component accesses other components that handle the document to access: The XForms instance data All resources referenced via an URL The XML Signature is created using the Open Source Apache XML Security 1.1 for java library, which was stripped down to 331 KB Other classes size is 25 KB Total storage size 356 KB

Use Case Implementation Use Case 3: Multiparty Form (Insurance claim) was implemented as a proof of concept Consists of Single form Server-side servlet, which filters the current view with simple XPath statements From the client s point of view, the view is signed completely

Use Case 3: Adding a Signer

Use Case 3: Viewing the Claim

Use Case 3: Sign Debug View

Use Case 3: Verify Debug View

Discussion: Security Issues In the Web any user agent can be used to interact with the services Since the user agent creates the signature, the user must trust the user agent fully That is the only software component, that the user must trust The service does not install extra software into the client For maximum security the signature should be created in a smart card Private key cannot be tampered with PKI should be used to authenticate the signer

Discussion: Related work Some commercial form systems support signatures Adobe, PureEdge XFDL, InfoPath Research papers published about XFDL XFDL differs from CSS-based languages Single XML definition, that includes everything: the form description, layout, fonts, colors, form data, and even binary signatures In the Web resources are distributed over multiple resources and fetched from an URL using HTTP The browser puts together the pieces and creates the final presentation Different requirements for the signature scheme

Conclusion The research problem was: How to create legally binding secure services in the WWW 3 representative use cases were described Requirements for secure client-side signatures were derived from the use cases A design, which integrates XForms with XML Signature was created The proposed design was implemented in a open-source user agent, One of the use cases was implemented using the extended user agent

Future Work Propose to adopt the scheme in the W3C XForms Working Group Adding user agent info (CC/PP or a simpler scheme) into the signature Supporting forms, which use HTML+Scripting Already analyzed in the paper XHTML+Scripting is possible by adding the current DOM as an embedded reference HTML+Scripting is more difficult, since browsers fix non-wellformed HTML differently, so serialization would differ between implementations

Thank you!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback