md5
Security
Release Notes
attachGoldenThread
cast
copy
cutGoldenThread
cwu
delete
dpml
dump
entrypoint
exists
expire
fls
guid
hotRestart
HTTPCookie
HTTPRedirect
isUnix
locationToXPath
lock/unlock
log
loglevel
luceneIndex
luceneSearch
mapper
mapper-export
md5
mls
netkernel:*
new
Orchextra
org.ten60.util.aspell
org.ten60.util.image.SVG2PNG
org.ten60.util.image.Text2PNG
org.ten60.util.image.xchart
plainTextToXHTML
regex
relativizeURI
requestWithArgs
resolveURI
serialize
sleep
sqlBatch
sqlBooleanQuery
SQLEncodeElement
SQLEscapeXML
sqlQuery
sqlUpdate
stm
stopWatch
StringToCanonicalString
throw
toRelaxNG
trace
validateDTD
validateRNG
validateSchematron
validateXSD
xacml
xform
XHREFlinker
XHTMLredirect
XHTMLTidy
xinclude
xmltidy
xpatheval
xpur
xquery
xrl
xsign
xslfo-fop
xslfo-fop
xslt
xverify
License
Change History
NetKernel History
Acknowledgements
URA Reference

md5

Used to generate an MD5 hash of an xml document

Definition

Format

<instr>
  <type>md5</type>
  <operand>foo.xml</operand>
  <target>this:response</target>
</instr>

Syntax

ElementRulesDescription
typeMandatory md5
operandOptional required the resource to be hashed
operatorOptional n/a
paramOptional n/a
targetOptional Fragment OKrequired the target resource

The md5 accessor generates an MD5 hash of the operand document. The result is a document with a root element <md5> containing the md5 hash. Here is an example:

<md5>6BBE1AF635E1CFC43006390B791D710F</md5>

Note: The md5 accessor is ideal for hashing short sensitive documents such as passwords whose source document is known to be reproducible. One must be cautious when using md5 with longer documents or when the result has undergone external serialization.

The operand document is serialized using the default serializer. For documents generated and processed internally it can be assumed that two identical documents will generate an identical hash value - it is therefore possible to use the md5 accessor to hash passwords etc. It cannot be assumed that document that has been externally serialized or in other ways processed will generate a repeatable hash value. For documents that undergo external processing the xsign accessor should be used in combination with the canonical serializer

Security

The md5 accessor like all security technologies should be treated with care. If the following precautions are observed the md5 accessor provides a convenient trustworthy security tool.

Concurrency

The dexter kernel allows concurrent execution of xml applications. In this first version of the kernel there is no application isolation. Therefore the potential exists for a malicious xml application to attempt to view the variables and data of another application.

It is perfectly possible to create xml security applications on the dexter kernel, just ensure that they are executed in isolation in a known clean instance of the kernel runtime. Any application that is performing security critical operations should be deployed in a clean application space (the xapp/ directory) which only contains trusted xml applications. The kernel should also be configured to limit concurrency with appropriate configuration of transports and system.xml properties.

The default demonstraion xapp/ xml application space is not trustworthy for a secure application. Create a clean space of your own and configure the kernel to use your application space by setting <xappPath> in the system.xml configuration document.

Future versions of the dexter kernel will support full access control and provide complete application isolation.

Example

Hash a password document

This crude example shows how the md5 accessor can be used to hash a short password document. We don't recommend passwords in literals or sending the result to the response!!

<instr>
  <type>md5</type>
  <operand>
    <password>foobar</password>
  </operand>
  <target>this:response</target>
</instr>

References

xsign accessor
Apache XML Security
W3C XML Signature

(C) 2003, 1060 Research Limited
© 2003,2004, 1060® Research Limited
1060 registered trademark, NetKernel trademark of 1060 Research Limited