LANGUAGES: All .NET Languages
ASP.NET VERSIONS: All
Security and XML
The Need for New Techniques Relates to How the XML Data Is Used
By Don Kiely
ASP.NET applications make heavy use of XML data for a variety of reasons, not the least of which is the intense support for XML in the .NET Framework. The nature of XML makes it most useful for moving data from one place to another, such as:
- different components in a single application
- a single application running multiple instances on different machines
- different applications running on entirely different platforms
There are numerous risks, however, with any such transmission of data across a network - particularly over the notoriously insecure Internet. Anyone with some basic skills can sniff packets, or use other techniques to look at what you're sending; this shouldn't be news to anyone in this day and age.
XML is no different than other data when it comes to security. If you transmit plain XML across the Internet, malicious hackers don't even need any new tools to see what you're up to, and can play havoc with the data just as easily as ever. The only thing that really changes is that as XML is adapted to more uses, an increasingly higher percentage of data will be transmitted in that format. So the need for new techniques to deal with XML security is related more to how the XML data is used in applications. Keep in mind that for many applications, existing security systems, particularly Secure Sockets Layers (SSL), are probably all you need.
Security is currently a hot topic in the technology community, which is a bit strange since it has always been important. But as more people put more of their lives and critical, personal information on the Internet, there is a heightened awareness of the issues. And the W3C is responding to the demands for secure XML with various initiatives, many in their earliest stages of development.
There are two approaches to the ambiguous phrase "XML and security." The first is to use XML as a data format that implements security in some way. This means, for example, defining XML schemas that assist in securing online resources, whether the resource is formatted as XML or not. The Organization for the Advancement of Structured Information Standards (OASIS) is an independent body that is leading most of these kinds of initiatives to develop security frameworks.
The other approach is to provide security for XML data. This may involve XML formats, but the primary focus is to protect data that happens to be in XML. The W3C is taking the lead on this type of security technology.
XML Security Issues
Computer and software security is philosophically mature. There have long been in place conceptual frameworks for understanding risks and how to protect against them. What is constantly changing is the response to new and different risks that malicious hackers, with no better way to channel their skills, devise to attack systems. The primary objectives of data security are confidentiality, integrity, authentication, and non-repudiation.
- Confidentiality is the protection of data from prying eyes, keeping it out of the hands of all except those who have a right to see it.
- Integrity is protecting the content and structure of data, preventing it from modification either by accidental corruption or by intentional sabotage. At the very least letting the sender or recipient know that integrity has been violated so they don't rely on faulty data.
- Authentication is making people prove they are who they say they are. Most commonly, if a person knows the password associated with a user name, we consider it a safe enough bet that the person is who they claim.
- Non-repudiation is knowing for certain who either sent or received information so that the person later cannot claim that they didn't send or receive it. This is a crucial requirement for using XML for online commerce.
To achieve these security objectives, security must be designed into the applications that both create and consume XML data, based on the processes used in the applications.
Don Kiely is senior technology consultant for Information Insights, a business and technology consultancy in Fairbanks, AK. E-mail him at mailto:[email protected].