The XML Security Working Group has published the Candidate Recommendation for XML Encryption Syntax and Processing 1.1. The most important update in this version addresses the lately published chosen-ciphertext attacks against the CBC class of algorithms. Besides that, AES 128-GCM is now a required algorithm. AES-GCM is an authenticated encryption algorithm and provides both authentication […]
One month after the 1.5.0 release, the bugfix release 1.5.1 of Apache Santuario is available. Two bugs were fixed: one in XMLSignatureInput when using a BufferedInputStream. The other one caused Santuario to still require Apache Xalan (which was changed to optional in 1.5.0). Besides that, encryption and decryption should work faster now.
The XML Security working group published the last calls for two XML Encryption working drafts: XML Encryption 1.1 contains, besides some other updates, AES-128-GCM, a new mandatory algorithm to implement which addresses the lately published security problems (catastrophe?!) with XML Encryption. This part alone justifies a closer look at the candidate recommendation. The other last […]
A new maintenance release (1.4.6) of Apache Santuario, the Apache XML Security project, is available. The release notes are a little bit confusing. Looks like five bugs were fixed. The new version will be available in the next JCrypTool release.
This analysis (in German, English version is available here) by the well-known Ruhr University Bochum puts XML Encryption into some real trouble. Since there is no solution or workaround, the only possibility is to accept the drawbacks and to use SSL to secure any Web Service communication. Back to good old transportation based security.
The German XML Security tutorials are now developed on GitHub. This does not affect the Eclipse XML Security Tools at all; the German tutorials will never be integrated there. The sources are only used to generate the tutorials available on my home page. I'm working on some content updates. As soon as this will be […]
The W3C recently published new working drafts of several XML Security related 1.1 versions: On May 13th, XML Signature Syntax and Processing, XML Encryption Syntax and Processing and XML Security Generic Hybrid Ciphers have been updated. These are so called Last Call Working Drafts, meaning the process is finally coming to an end and we […]
Quite a lot of XML Security related drafts were updated during my two months holiday: XML Signature Syntax and Processing Version 2.0 and Canonical XML Version 2.0 both got updated on March 4th 2010. However both documents are still in working draft stage. Besides that there is a new XML Encryption Syntax and Processing Version […]
Version 1.4.3 of Apache XML Security (Santuario) is available. In case you do use this API you should update as soon as possible to the new release. This release doesn't provide any new features, but includes a lot of bug fixes, including a correction for the relatively serious security vulnerability that has been discovered lately.
The W3C XML Security Working Group has released eight first public working drafts last week, from updated XML Encryption 1.1 and XML Signature 1.1 specifications to even some new ones. Among others, these drafts include revisions to XML Signature and XML Encryption to support new algorithms and a new document proposing simplifications to the XML […]