Checking and Signing XML Documents on Java Smart Cards

Challenges and Opportunities
  • Nils Gruschka
  • Florian Reuter
  • Norbert Luttenberger
Conference paper
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 153)


One major challenge for digitally signing a document is the so called “what you see is what you sign” problem. XML as a meta language for encoding semistructured data offers new opportunities for a solution. The possibility for checking fundamental properties of XML-encoded documents (well-formedness, validity) can be used to improve the security of the signing process for such documents. In this paper we present an architecture for checking and signing XML documents on a smart card in order to enhance the control over the documents to be signed. The proposed architecture has successfully been used to implement a secure, smart card based electronic banking application for the financial transactions system FinTS.

Key words

Java smart cards XML digital signature XML Schema electronic banking 


  1. [1]
    Mark Bartel et al. XML-Signatur Syntax and Processing-W3C Recommendation 12 February 2002. W3C (World Wide Web Consortium), 2002.Google Scholar
  2. [2]
    John Boyer. Canonical XML, Version 1.0-W3C Recommendation 15 March 2001. W3C (World Wide Web Consortium), 2001.Google Scholar
  3. [3]
    Armin B. Cremers, Adrian Spalka, and Hanno Langweg. The Fairy Tale of ‘What You See Is What You Sign’-Trojan Horse Attacks on Software for Digital Signatures. In IFIP Working Conference on Security and Control of IT in Society-II (SCITS-II), Bratislava, Slovakia, June 2001.Google Scholar
  4. [4]
    Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 22(6):644–654, November 1976.CrossRefMathSciNetGoogle Scholar
  5. [5]
    Henry S. Thompson et al. XML Schema Part 1: Structures-W3C Recommendation 2 May 2001. W3C (World Wide Web Consortium), 2001.Google Scholar
  6. [6]
    Paul V. Biron and Ashok Malhotra. XML Schema Part 2: Datatypes-W3C Recommendation 2 May 2001. W3C (World Wide Web Consortium), 2001.Google Scholar
  7. [7]
    James Clark, Steve DeRose. XML Path Language (XPath)-W3C Recommendation 16 November 1999. W3C (World Wide Web Consortium), 2001.Google Scholar
  8. [8]
    Tim Redhead and Dean Povey. The Problem with Secure On-Line Banking. In Proceedings of the XVIIth annual South East Asia Regional Conference (SEARCC’98), July 1998Google Scholar
  9. [9]
    Arnd Weber. See What You Sign. Secure Implementation of Digital Signatures. In Intelligence in Services and Networks: Technology for Ubiquitous Telecom Services (IS&N’98), Springer-Verlag LNCS 1430, 509–520, Berlin, 1998.Google Scholar
  10. [10]
    Audun Jøsang, Dean Povey, and Authony Ho. What You See is Not Always What You Sign. AUUG 2002-Measure, Monitor, Control, September 2002Google Scholar
  11. [11]
    Tim Bray et al. Extensible Markup Language (XML) 1.0 (Third Edition) W3C Recommendation 04 February 2004. W3C (World Wide Web Consortium), 2004.Google Scholar
  12. [12]
    John Cowan, Richard Tobin. XML Information Set (Second Edition) W3C Recommendation 4 February 2004. W3C (World Wide Web Consortium), 2004.Google Scholar
  13. [13]
    P. Buneman. Semistructured data. Tutorial in Proceedings of the 16th ACM Symposium on Principles of Database Systems, 1997Google Scholar
  14. [14]
    Hiroshi Maruyama et al. XML and Java: developing Web applications. Pearson Education. 2nd ed. 2002.Google Scholar
  15. [15]
    Makoto Murata, Dongwon Lee, and Murali Mani. Taxonomy of XML Schema Languages using Formal Language Theory. Extreme Markup Languages 2000, August 13–14, 2000. Montreal, Canada.Google Scholar
  16. [16]
    Boris Chidlovskii. Using Regular Tree Automata as XML Schemas. IEEE Advances in Digital Libraries 2000 (ADL 2000). May 22–24, 2000. Washington, D.C.Google Scholar
  17. [17]
    F. Neven. Automata theory for XML researchers. SIGMOD Record, 31(3), 2002.Google Scholar
  18. [18]
    The SAX Project, URL:
  19. [19]
    IBM JCOP embedded security software. URL:
  20. [20]
    Sun Microsystems: JavaCard 2.1.1
  21. [21]
    Global Platform Consortium: OpenPlatform 2.0.1’. URL:
  22. [22]
    FIPS PUB 140-2: Security Requirements For Cryptographic Modules, May 2001. URL:
  23. [24]
    JSR 173: Streaming API for XML. Java Community Process.Google Scholar
  24. [25]
    Janusz A: Brzozowski. Derivatives of regular expressions. Journal of the ACM, 11(4), 1964.Google Scholar
  25. [26]
    Ronald Rivest: The MD5 Message-Digest Algorithm, IETF RFC 1321, April 1992. URL:
  26. [27]
    National Institute of Standards and Technology: Secure Hash Standard, April 1995. URL:
  27. [28]

Copyright information

© Springer Science + Business Media, Inc. 2004

Authors and Affiliations

  • Nils Gruschka
    • 1
  • Florian Reuter
    • 1
  • Norbert Luttenberger
    • 1
  1. 1.Christian-Albrechts-University of KielGermany

Personalised recommendations