Alternative to PKI digital signature

Question

I'm looking for a way of transforming an xml document in a way that achieves the following goals:

• It can be distributed to known applications across the internet and managed by them without any special storage requirements
• The applications can determine the source of the document
• The applications can determine if it has been tampered with or altered since it was generated
• The document is encrypted, but for obfuscation purposes rather than because it contains sensitive information
• The application can programmatically read the contents of the xml

This sounds like a classic digital signature scenario. However, I do not want the source and recipient applications to have to deal with the logistical issues associated with managing public and private keys.

So, my question is: is there any way of meeting these requirements reliably without the use of digital certificates?

Answer 1

If you do not really look for security - especially in the forging/alteration aspects, a secret symmetric key embedded in the application would be enough to satisfy alteration detection and encryption aspects. Just use a standard block cipher, and MAC (Message Authentication Code (wikipedia)). Of course, it would be relatively simple to extract the key and alter these documents.

Unfortunately, identifying the source is a little trickier. Identity comes implicitly when you use PKI, because each private key implicitly identifies an entity. Since you do not have such a natural identifier, you will now need to define your own identification scheme: perhaps a MAC address of the first network adapter you see on the machine that runs it, or perhaps a more elaborate scheme where you explicitly assign identities to individual applications, or the individuals that use the application. Once you have some sort of identity definition, it would be a simple matter to add this identification string at the start of your document before encrypt/sign operation as a separate XML field.