September 27, 2017

Romaric Tchokpon: Ensuring XML Integrity Using Watermarking Techniques

Abstract

The rise of XML and Web services as a de facto standard for data exchange and representation has generated a lot of interest on security aspects. Securing Web Services and XML documents is then of great importance and many standards and solutions have been proposed in the literature. We will categorize these solutions into two main categories, the first about the validity of the document in regards of its structure and the second is about the integrity and authenticity of the data. The first category includes XML Schema languages such as DTD, XML Schema, Relax-NG, Schematron, and the second one, XML Signature, XML Encryption, WS-Security.

Even though, there still exists some weakness in the processes of securing XML document. An example of attack exploiting weaknesses of XML Signature is the XML Signature wrapping attack. This famous attack has been possible because of the lack of structural constraints enforcing during the document processing by the web service.  The problem is also the same in other situation such as Multimedia Video Adaptation, distributed and collaborative environment using XML files. In these cases, there are constraints on the structure of the XML document to be enforced to avoid attacks that can affect the system using these files.

All these weaknesses motivate us to find a novel framework to enforce structural constraints in XML documents. The purpose of our solution is to provide to the XML document’s user, a way to detect any changes of the structure of the file that can be prejudicial to the final application. To achieve our goal, first, we express the structural constraints on the XML document in a set of elements which positions have to be fixed. Secondly, we make use of an XML labeling technique to fix the position of part of the XML document that is under constraints. We finally embed this information within the file using cryptographic means to guaranty the authenticity and the integrity of this information on the receiver‘s side.