IT Security Outsourced IT

XML Digital Signature

What is XML Digital Signature?

Digital signatures are like electronic “fingerprints” that securely associate a signer with a document in a recorded transaction, which takes the form of a coded message. Digital signatures use Public Key Infrastructure (PKI), to provide the highest levels of security and universal acceptance. PKI involves using a digital certificate for identity verification. Digital signatures differ from electronic signatures. A digital signature is a type of electronic signature that requires a more rigorous level of identity assurance through digital certificates.

The broad category of electronic signatures (e-signatures) encompasses many types of electronic signatures. The category includes digital signatures, which are a specific technology implementation of electronic signatures. Both digital signatures and other e-signature solutions allow you to sign documents and authenticate the signer. However, there are differences in purpose, technical implementation, geographical use, and legal and cultural acceptance of digital signatures versus other types of e-signatures1.

An XML digital signature (XML DSIG) is an electronic, encrypted, stamp of authentication on digital information such as messages. The digital signature confirms that the information originated from the signer and was not altered in transmission. Additionally, with digital signatures that use public key cryptography, the origin of the signed message can be traced to the identity of the sender to satisfy nonrepudiation requirements2. Digital signatures are part of message-level security. They are important because they ensure end-to-end message integrity and can also provide authentication information about the originator of a message. To be effective, the digital signature must be part of the application data, so that is generated at the time the message is created. Then, the signature can be verified at the time the message is received and processed. At a minimum, sign the message body, security, and addressing headers.

Follow these steps to digitally sign an XML document in Windows3:

  1. Create a CspParameters object and specify the name of the key container.
  2. Generate an asymmetric key using the RSACryptoServiceProvider class. The key is automatically saved to the key container when you pass the CspParameters object to the constructor of the RSACryptoServiceProvider class. This key will be used to sign the XML document.
  3. Create an XmlDocument object by loading an XML file from disk. The XmlDocument object contains the XML element to encrypt.
  4. Create a new SignedXml object and pass the XMLDocument object to it.
  5. Add the signing RSA key to the SignedXml object.
  6. Create a Reference object that describes what to sign. To sign the entire document, set the Uri property to “ “.
  7. Add an XmlDsigEnvelopedSignatureTransform object to the Reference object.
  8. Add the Reference object to the SignedXml object.
  9. Compute the signature by calling the ComputeSignature method.
  10. Retrieve the XML representation of the signature (a <Signature> element) and save it to a new XmlElement object.
  11. Append the element to the XmlDocument object.
  12. Save the document.  

1 DocuSign, 2023, “Understanding digital signatures”

2 IBM, 2021, “XML digital signature security overview”

3 Microsoft, 2021, “How to: Sign XML Documents with Digital Signatures”