XMLSec 1.0 Helps Ensure Multi-Platform WS-Security
Developers this week have one more assurance that they will be able to implement WS-Security across multiple platforms. The XML Security Library, an Open Source implementation of W3C's XML Digital Signature and XML Encryption (the core components of WS-Security) , has released its major 1.0 release to developers. It includes support for multiple crypto engines, as well as OpenSSL, GnuTLS and NSS.
The release of XMLSec 1.0 comes as the WS-I (Web Services Interoperability Organization) has launched a Basic Security Working Group to ensure that WS-Security implementations will operate across multiple and diverse platforms -- .Net, Java and legacy systems. (See WS-Security story here. .
The XML Security Library, is based on an Open Source C library implementation. The 1.0 release, directed by Aleksey Sanin, includes multiple crypto engines support (with "out of the box" support for OpenSSL, GnuTLS and NSS); simplified and cleaned internal structure and API; several performance and memory usage improvements; and new or updated documentation (tutorial, API reference manual and examples).
Get the download as well as the complete documentation for XMLSecLib. (A maintenance release is also available to fix a few compilation problems for OpenBSD/sparc64, Win32 Wacom C and Sun Workshop CC 6.0. Also, from now on, Win32 MSVC port enables the threading support by default.)
Developers can also obtain an XML Security Library XML Signature Interoperability Report that describes how XMLSec works with OpenSSL, GnuTLS and NSS.
Inside XMLSec Library
The XML Security (XMLSec) Library is a C library based on LibXML2 and OpenSSL. The library was created with a goal to support major W3C XML security standards, including XML Signature ; XML Encryption ; and Exclusive XML Canonicalization -- issued July 18 by W3C, which provides for methods to use XML sub-documents that can support B2B digital signatures, etc. (the section formerly included in libxml2).
XML Security Library supports all MUST/SHOULD/MAY features and algorithms described in the W3C standard, and provides API to sign prepared document templates, add signature(s) to a document "on-the-fly" or verify the signature(s) in the document.
This XMLSecLib working group's mission is to develop an XML-compliant syntax used for representing the signature of web resources and portions of protocol messages (anything referencable by a URI) and procedures for computing and verifying such signatures. This is a joint working group of the IETF and W3C; W3C is hosting the e-mail list and WG site publicly in accordance with IETF procedure. XML Security Library is released under the MIT License.
Other XML Security Resources
- W3C continues to take comments on the XKMS (XML Key Management Specification), which specifies protocols for distributing and registering public keys, suitable for use in conjunction with the proposed standard for XML Signatures [XML-SIG] developed by the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF), and an anticipated companion standard for XML encryption.
- An important key to understanding XML security is first knowing "web server" security basics -- protocols, SSL, etc. Kevin Boone provides a neat basic tour of web server security. His key advice to developers: Keep it simple and straightforward. Boone notes, "It is very important to understand that a secure web server uses encryption for communication of data between the web server and a browser, and nothing else."
- The Open Web Application Security Project (OWASP) has updated its Guide to Building Secure Web Applications and Web Services. This document describes the technical components, people processes and management issues needed to design, build and maintain a secure web application. It includes requirements for architects and designers building common elements like password reset systems, session management mechanisms and input filtering, as well as architectural guidance.
Much of OWASP's work is driven by discussions on the Web Application Security list at SecurityFocus.com. All software and documentation is released under the GNU Public License.
- You or your firm may already be using component-based development practices and application servers for business logic. If so, you already have a "service-oriented architecture" in place. This article, "The Benefits of a Service-Oriented Architecture", by independent consultant Michael Stevens, shows how you can further leverage your SOA to improve security of your web services/integration projects.
- In this column,Preston Gralla, author of "How the Internet Works," shares his view on what developers need to know about web services security. Notably, Gralla includes his "Short List" for XML standards and initiatives to keep an eye on.
- A straightforward compilation of XML security links is available at the Westbridge Technology website's "Resources" page. It's one of the best and easiest to navigate that OET has seen. Westbridge, based in Mountain View, CA, provides XML web services-based architectures.
- A report on .NET Framework's security is available from Core Security Technologies and Foundstone Inc. The analysis highlights granular security control over applications and resources and .NET's toolset for authentication, authorization and cryptographic routines.