XML安全技术在电子商务中的应用
|
摘要
扩展标记语言XML(Extensible Markup Language)是世界万维网联盟W3C(The Worldwide Web Consortium)制定的一种数据标准。它以其结构化、互操作性、易于交换和可扩展性的特点在很多行业得到了广泛的应用。
XML为实现安全、高效的电子商务提供了一种开放的标准,它解决了传统数据交换的一些弱点,将中小企业带入到电子商务之中。使用XML结构化的数据可以将数据从商业规范和表现形式中分离出来,便利地进行交换和处理,所以它一经出现就成为新一代数据交换的标准。
但是电子商务对XML的关注过多地放在实现数据交换上,对于保证XML数据安全的问题缺乏足够的重视。与传统的数据传输安全相比,XML数据在实施安全保护措施方面有着自身的特点。忽视XML数据的安全会使得交易中的机密信息和敏感信息面临危险。因此,如何在非安全的网络中实现XML数据的安全传输是电子商务急需要解决的问题。
XML安全技术主要涉及下列安全问题:XML加密、XML签名、XML密钥管理规范(XML Key Management Specification,XKMS)和安全断言标记语言(Security Assertion Markup Language,SAML)。本论文重点研究XML加密、XML签名这两部分。
XML安全技术能保证被传输数据的完整性、真实性和不可否认性,它可以弥补传统安全技术所存在的不足,能有效地增强WEB资源的安全性。并且XML签名和XML加密是安全Web服务(Web Services)中一系列规范的基础,所以保证XML的安全对整个Web的发展都起着至关重要的作用。
本论文围绕XML安全技术这一目标展开,主要内容如下:
1.介绍了XML的编写规则、特点、编程接口、内容显示及应用领域。
2.具体分析了XML安全中的XML加密和XML签名的工作原理,探讨了XML加密和XML签名的实现技术,对XML签名和传统的数字签名做了较深入的比较。
3.基于VS.net平台,通过把C#技术,XML安全规范中的XML加密、XML签名有机地结合起来,在“航旅通预定系统”中实现了XML加密、解密、XML签名及验证签名等功能。
XML (Extensible Markup Language) is a data standard developed by W3C (The Worldwide Web Consortium). Its structure, interoperability、scalability and easy exchange feature have been widely used in many industries.
XML for the realization safe and highly effective E-Commerce provided one kind of open standard. It solved some of the weaknesses of traditional data exchange, and lead small and medium-sized enterprises into E-Commerce. XML-structured data can be separated from commercial norms and manifestations; and can extremely conveniently to exchange and processing. Thus, it has become a new generation emerged data exchange standards as soon as it appears.
E-Commerce takes too much attention on XML data exchange, but less on ensures the safety of the XML data exchange. Compare With the traditional data transmission security, the XML data in the implementation of security measures has its own characteristics. Ignore XML data security will make transactions confidential and sensitive information at risk. Therefore, how to realize the security of XML data transmission in the unsafe network is very urgent.
XML security technologies involved in the following security issues: XML Encryption, XML Signature, XKMS (XML Key Management Specification) and SAML (Security Assertion Markup Language). This paper focuses on XML Encryption, XML signature two parts.
XML Security technology can ensure the integrity, authenticity and non-repudiation of data transmission. It can also make up for the deficiencies of the traditional security technologies. And XML Signature and XML Encryption is the foundation of a series of standard of the secure Web Services. Therefore, Ensure the safety of XML data will play a vital role in the entire Web development.
This paper focus on XML security technology, the major elements are as follow:
1. Introduced the preparation rules, characteristics, programming interfaces, show, and application areas of XML.
2. Specific analyses the working principle of XML Encryption and XML Signature, discussed the realization of XML Encryption and XML Signature technology. And it has deep compared XML Signature and traditional digital Signature.
3. Based on VS.net platform, organic combination with C #, XML Encryption, XML Signature, in the "Flight travel reservation system" project, fulfills the XML Encryption, Decryption, Signature and validation of XML Signature, and other functions.
XML为实现安全、高效的电子商务提供了一种开放的标准,它解决了传统数据交换的一些弱点,将中小企业带入到电子商务之中。使用XML结构化的数据可以将数据从商业规范和表现形式中分离出来,便利地进行交换和处理,所以它一经出现就成为新一代数据交换的标准。
但是电子商务对XML的关注过多地放在实现数据交换上,对于保证XML数据安全的问题缺乏足够的重视。与传统的数据传输安全相比,XML数据在实施安全保护措施方面有着自身的特点。忽视XML数据的安全会使得交易中的机密信息和敏感信息面临危险。因此,如何在非安全的网络中实现XML数据的安全传输是电子商务急需要解决的问题。
XML安全技术主要涉及下列安全问题:XML加密、XML签名、XML密钥管理规范(XML Key Management Specification,XKMS)和安全断言标记语言(Security Assertion Markup Language,SAML)。本论文重点研究XML加密、XML签名这两部分。
XML安全技术能保证被传输数据的完整性、真实性和不可否认性,它可以弥补传统安全技术所存在的不足,能有效地增强WEB资源的安全性。并且XML签名和XML加密是安全Web服务(Web Services)中一系列规范的基础,所以保证XML的安全对整个Web的发展都起着至关重要的作用。
本论文围绕XML安全技术这一目标展开,主要内容如下:
1.介绍了XML的编写规则、特点、编程接口、内容显示及应用领域。
2.具体分析了XML安全中的XML加密和XML签名的工作原理,探讨了XML加密和XML签名的实现技术,对XML签名和传统的数字签名做了较深入的比较。
3.基于VS.net平台,通过把C#技术,XML安全规范中的XML加密、XML签名有机地结合起来,在“航旅通预定系统”中实现了XML加密、解密、XML签名及验证签名等功能。
XML (Extensible Markup Language) is a data standard developed by W3C (The Worldwide Web Consortium). Its structure, interoperability、scalability and easy exchange feature have been widely used in many industries.
XML for the realization safe and highly effective E-Commerce provided one kind of open standard. It solved some of the weaknesses of traditional data exchange, and lead small and medium-sized enterprises into E-Commerce. XML-structured data can be separated from commercial norms and manifestations; and can extremely conveniently to exchange and processing. Thus, it has become a new generation emerged data exchange standards as soon as it appears.
E-Commerce takes too much attention on XML data exchange, but less on ensures the safety of the XML data exchange. Compare With the traditional data transmission security, the XML data in the implementation of security measures has its own characteristics. Ignore XML data security will make transactions confidential and sensitive information at risk. Therefore, how to realize the security of XML data transmission in the unsafe network is very urgent.
XML security technologies involved in the following security issues: XML Encryption, XML Signature, XKMS (XML Key Management Specification) and SAML (Security Assertion Markup Language). This paper focuses on XML Encryption, XML signature two parts.
XML Security technology can ensure the integrity, authenticity and non-repudiation of data transmission. It can also make up for the deficiencies of the traditional security technologies. And XML Signature and XML Encryption is the foundation of a series of standard of the secure Web Services. Therefore, Ensure the safety of XML data will play a vital role in the entire Web development.
This paper focus on XML security technology, the major elements are as follow:
1. Introduced the preparation rules, characteristics, programming interfaces, show, and application areas of XML.
2. Specific analyses the working principle of XML Encryption and XML Signature, discussed the realization of XML Encryption and XML Signature technology. And it has deep compared XML Signature and traditional digital Signature.
3. Based on VS.net platform, organic combination with C #, XML Encryption, XML Signature, in the "Flight travel reservation system" project, fulfills the XML Encryption, Decryption, Signature and validation of XML Signature, and other functions.
引文
[1] 石良武,邓淑玲.XML技术及其在电子商务中的应用.http://www.power2ba.com/develop/web/xml/article/20010716001.htm
[2] 吴洁.XML应用教程.北京:清华大学出版社,2005.1.32~47
[3] 王勇,王骏,黄杰等.基于XML实现信息安全交换的策略研究.机械与电子,2004.35~46
[4] 傅海英,李辉,王育名.XML及相关安全研究进展.计算机应用研究,2004.23~28
[5] Heather uilliamson.XML技术大全,机械工业出版社.2006.45~78
[6] Getting Started with XML Security.http://www.fjhirsch.com/xml/Xmlsec/starting-xml-security.html. 2002.8.7
[7] 周永彬,贺也平,刘娟.XML安全基础[M].北京:清华大学出版社,2003.65~66
[8] 张建飞编.XML实用培训教程.北京:科学出版社,2003.12.43~56
[9] Navarr oAnn,周生炳.XML从入门到精通.北京:电子工业出版社,2000.123~134
[10] 袭剑铎,高伟,徐继伟.XML高级编程.北京:机械工业出版社 2002.54~65
[11] Jelliffe Rick.XML&SGML参考手册.北京:人民邮电出版社,2005.10.67~79
[12] 王超,张鹏.ASP.NET/KML深入编程技术.北京:北京希望电子出版社,2002.1.89~97
[13] Dinar Dalvi,Joe Gray..NET XML高级编程[M].北京:清华大学出版社2002.263~270
[14] Elliotte Rusty Harold W.Scott Means.XML技术手册[M].北京:中国电力出版社,2005.164~166
[15] 刘志军.XML在分布式对象技术中的应用.计算机应用研究 第九期
[16] [美]G.Andrew Duthie.李万伦,何蕾,赵海,译.ASP.NET程序设计.北京:清华大学出版社,2006.1.39~47
[17] Kurt Cagle.XML高级开发指南[M].北京:电子工业出版社,2001.3.32~48
[18] 章峰,王军.基于XML的企业信息集成平台实现及应用.计算机工程与应用.2001.1.37~49
[19] 阎慧,李希民,李彩萍.基于XML的WEB安全模型[J].装备指挥技术学院学报,2002年04期
[20] 李文奇.XML密钥管理系统研究及实现[D]:[硕士论文]一上海:上海交通大学,2004
[21] XML Encryption Requirements. http://www.w3.org/TR/xml-encryption-req.
[22] Murdoch Mactaggart.XML 加密和XML 签名简介, DeveloperWorks, 2006.9.145~166
[23] http:.//www.csdn.net
[24] 路松房.基于Microsoft.NET的加密与签名系统开发.CSDN开发高手.2004-6
[25] [美]Doug Tidwell. The XML Security Suite: Increasing the security of E-business. http://www-900.ibm.corn/developerWorks/cn/xml/xmlsecuritysuite/index_ eng. html. 2000.1
[26] [美]Rich Salz. 了解XML数字签名. http://www.microsoft.com/china/MSDN/library/archives/library/dnWebsrv/html/underXMLdigsig.asp
[27] XML-SignatureSyntaxandProcessing.http://www.w3.org/TR/xmldsig
[28] 陈天煌,邹青梅.基于XML的异构数据库信息共享技术研究.武汉理工大学学报
[29] http://xkms.entrust.com/xkms/index.htm
[30] 唐韶华,甘志勇.基于XKMS的PKI服务的设计与实现[J]电子与信息学报,2005.2
[31] 王子才.基于XACML的访问控制技术的应用研究[D]大连海事大学.2006
[32] [美]William Stallings.刘玉珍,王丽娜,傅建明,等译.密码编码学与网络安全.北京:电子工业出版社,2004.3.135~166
[33] 谢山,孙莉,陈家训.基于XML的企业电子商务交易平台目录系统的设计.计算机应用研究.2002
[34] 闫锋,庞建民,王斌,王杰锋.电子商务的安全性及其技术[J]信息工程大学学报,1999.4
[35] http://blog.5d.cn/user7/hldhl/200604/238791.html
[36] 卿斯汉.电子商务协议中的可信第三方角色.软件学报.2003年11期
[37] 张立志.电子商务系统的安全研究[J]安阳大学学报,2004.4
[38] 魏兵海.基于XML相关规范集的动态Web service框架系统.计算机科学2004年6月
[39] 黄元飞等.信息安全与加密解密核心技术,上海浦东电子出版社,2001.2.95~106
[40] Pter Thorstelnson,G.Gnana Arun Ganesh著.梁志敏,蔡建译..NET安全性与密码技术,清华大学出版社,2006.8.76~89
[2] 吴洁.XML应用教程.北京:清华大学出版社,2005.1.32~47
[3] 王勇,王骏,黄杰等.基于XML实现信息安全交换的策略研究.机械与电子,2004.35~46
[4] 傅海英,李辉,王育名.XML及相关安全研究进展.计算机应用研究,2004.23~28
[5] Heather uilliamson.XML技术大全,机械工业出版社.2006.45~78
[6] Getting Started with XML Security.http://www.fjhirsch.com/xml/Xmlsec/starting-xml-security.html. 2002.8.7
[7] 周永彬,贺也平,刘娟.XML安全基础[M].北京:清华大学出版社,2003.65~66
[8] 张建飞编.XML实用培训教程.北京:科学出版社,2003.12.43~56
[9] Navarr oAnn,周生炳.XML从入门到精通.北京:电子工业出版社,2000.123~134
[10] 袭剑铎,高伟,徐继伟.XML高级编程.北京:机械工业出版社 2002.54~65
[11] Jelliffe Rick.XML&SGML参考手册.北京:人民邮电出版社,2005.10.67~79
[12] 王超,张鹏.ASP.NET/KML深入编程技术.北京:北京希望电子出版社,2002.1.89~97
[13] Dinar Dalvi,Joe Gray..NET XML高级编程[M].北京:清华大学出版社2002.263~270
[14] Elliotte Rusty Harold W.Scott Means.XML技术手册[M].北京:中国电力出版社,2005.164~166
[15] 刘志军.XML在分布式对象技术中的应用.计算机应用研究 第九期
[16] [美]G.Andrew Duthie.李万伦,何蕾,赵海,译.ASP.NET程序设计.北京:清华大学出版社,2006.1.39~47
[17] Kurt Cagle.XML高级开发指南[M].北京:电子工业出版社,2001.3.32~48
[18] 章峰,王军.基于XML的企业信息集成平台实现及应用.计算机工程与应用.2001.1.37~49
[19] 阎慧,李希民,李彩萍.基于XML的WEB安全模型[J].装备指挥技术学院学报,2002年04期
[20] 李文奇.XML密钥管理系统研究及实现[D]:[硕士论文]一上海:上海交通大学,2004
[21] XML Encryption Requirements. http://www.w3.org/TR/xml-encryption-req.
[22] Murdoch Mactaggart.XML 加密和XML 签名简介, DeveloperWorks, 2006.9.145~166
[23] http:.//www.csdn.net
[24] 路松房.基于Microsoft.NET的加密与签名系统开发.CSDN开发高手.2004-6
[25] [美]Doug Tidwell. The XML Security Suite: Increasing the security of E-business. http://www-900.ibm.corn/developerWorks/cn/xml/xmlsecuritysuite/index_ eng. html. 2000.1
[26] [美]Rich Salz. 了解XML数字签名. http://www.microsoft.com/china/MSDN/library/archives/library/dnWebsrv/html/underXMLdigsig.asp
[27] XML-SignatureSyntaxandProcessing.http://www.w3.org/TR/xmldsig
[28] 陈天煌,邹青梅.基于XML的异构数据库信息共享技术研究.武汉理工大学学报
[29] http://xkms.entrust.com/xkms/index.htm
[30] 唐韶华,甘志勇.基于XKMS的PKI服务的设计与实现[J]电子与信息学报,2005.2
[31] 王子才.基于XACML的访问控制技术的应用研究[D]大连海事大学.2006
[32] [美]William Stallings.刘玉珍,王丽娜,傅建明,等译.密码编码学与网络安全.北京:电子工业出版社,2004.3.135~166
[33] 谢山,孙莉,陈家训.基于XML的企业电子商务交易平台目录系统的设计.计算机应用研究.2002
[34] 闫锋,庞建民,王斌,王杰锋.电子商务的安全性及其技术[J]信息工程大学学报,1999.4
[35] http://blog.5d.cn/user7/hldhl/200604/238791.html
[36] 卿斯汉.电子商务协议中的可信第三方角色.软件学报.2003年11期
[37] 张立志.电子商务系统的安全研究[J]安阳大学学报,2004.4
[38] 魏兵海.基于XML相关规范集的动态Web service框架系统.计算机科学2004年6月
[39] 黄元飞等.信息安全与加密解密核心技术,上海浦东电子出版社,2001.2.95~106
[40] Pter Thorstelnson,G.Gnana Arun Ganesh著.梁志敏,蔡建译..NET安全性与密码技术,清华大学出版社,2006.8.76~89