Reputation: 3253
Make sure your signed XML is signed by you
I would like to sign an XML file I have created, and have followed this tutorial in order to sign it:
http://msdn.microsoft.com/en-us/library/ms229745.aspx
I have also read this tutorial on verifying the files:
http://msdn.microsoft.com/en-us/library/ms229950.aspx
I was able to compile both correctly without issues, but what I don't understand is how it is that using this I am able to produce an XML, that is guaranteed to be from be and not forged.
My thinking (which is wrong and needs correcting) : I make an XML and sign it using the code from those tutorials. I am also able to verify it using that code. No problems, it works and detects when I have modified the XML. But how is it that someone else can't just take the code from the tutorial, make their own XML, and then sign it themself, and use it in my program? Wouldn't the verifying program still verify it?
Upvotes: 0
Views: 2305
Answers (3)
Reputation: 2391
You need to understand two pieces of background information in order to understand why these tutorials work.
Once you read those articles a bit, take a look at this diagram:
Diagram taken from wikipedia (specifically, here)
Upvotes: 2
Reputation: 3247
The tutorial uses an RSA signing key:
signedXml.SigningKey = Key;
This link states:
Generate an asymmetric key using the RSACryptoServiceProvider class. The key is automatically saved to the key container when you pass the CspParameters object to the constructor of the RSACryptoServiceProvider class.
A new RSA key was created when you ran this example and stored in the key container on your local machine. The RSA key contains a Private Key for signing and a Public Key for verifying the signature. The Public Key can be distributed to anyone who needs to verify your signed messages. Public Key's are usually packaged and distributed using a Certificate
Assuming you are the only one in possession of the Private Key, the recipient has the Public Key (and assuming the implementation is safe), no one can tamper with that signed document without the verification step detecting that tampering.
Anyone else running the same sample should produce a new unique RSA key that could not be used to sign a document that your Public Key would verify.
Upvotes: 2
Reputation: 326
Both links refer to articles showing verification. You would benefit from reading how asymmetric keys work. When you sign the XML you sign it with your private key which only you have access to and by which only your public key, available to everyone can decrypt. No one but you will have your private key.
Upvotes: 0
Related Questions
- Signing XML return invalid signature on api gate and false signaturecheck
- "Key not valid for use in specified state" while trying to Sign a Xml
- "malformed reference element" exception signing a XML file
- SignedXml checksignature returns false
- C# Signing XML document with X509Chain
- Troubleshooting Signed XML
- How to correctly sign an XML file in c#?
- How to verify signed XML file signature
- Xml Signature for XmlElement fails to verify
- XML Signing. Wrong Digital Signature