tags:

views:

103

answers:

5
+1  Q: 

Authenticating an XML file

I am in a situation where my application has to read an XML file that another application will drop onto a specific location on the file system (on multiple platforms). I control the contents of this document. The other application is simply providing transport.

I'd like to ensure that the document hasn't been modified in transit or forged in any way. Currently, we're simply writing a salted hash of the document string to the start of the file before the XML document itself. When we parse the document, we simply strip out the hash, compare it to a hash of the remainder of the document, and then send it to the parser.

Does anyone have any experience with this kind of scenario that they'd like to share? Are there any flaws or easier ways I'm missing?

A: 

We encrypt the whole xml file and decrypt it to use. This way we know for sure if it has been modified ;)

Sergio  2009-01-26 15:48:54
A: 

The most secure thing you will be able to do is encrypt the network traffic in between the two applications. You can definitely hash the file though but something like an MD5 hash ought to do the trick.

Andrew Hare  2009-01-26 15:48:56
A: 

You should sign the message by encrypting the salted hash with an asymmetric encryption algorithm and send it along the document. Just using a hash doesn't enforce security as some intruder might generate a different message with the same hash.

Mehrdad Afshari  2009-01-26 15:49:34
Unlikely they could generate a collision that was also a valid XML document for your app - collisions are only really an issue where you are allowed to stick large amounts of aribtrary binary data on the end.
Martin Beckett  2009-01-26 16:10:25
I would never trust `unlikely` in security engineering.
Mehrdad Afshari  2009-01-26 16:17:43
A: 

Depending on how critical these documents are a hash may be sufficient. However a more bullet proof mechanism would be to use something asymmetric like PGP signing if you have PGP support at both ends.

Kev  2009-01-26 15:50:22
+3  A: 

There is a standard for signing xml documents: http://www.w3.org/TR/xmldsig-core/

If you don't want to implement everything yourself, I suggest you use the XML security library.

innaM  2009-01-26 15:55:47

related questions

Load an XmlNodeList into an XmlDocument without looping?
Does System.Xml use MSXML?
Using an XML catalog with Python's lxml?
Why Are People Still Creating RSS Feeds?
Pretty printing XML files on Emacs
Application configuration files
What is the best XML editor?
How much extra overhead is generated when sending a file over a web service as a byte array?
XPATHS and Default Namespaces
How to parse XML in VBA
Small modification to an XML document using StAX
how to use xpath in python
Best binary XML format for JavaME
How can I split an XML document into thirds (or, even better, n pieces)?
Test serialization encoding
Is it "bad practice" to be sensitive to linebreaks in XML documents?
HTML comments break down
Authoritative source on XML-sig
Best way to get InnerXml of an XElement?
HTML version choice
SQL 2005 For XML Explicit - Need help formatting
Any experiences with Protocol Buffers?
XML Editing/Viewing Software
XML Processing in Python
Converting CSV File to XML in Java