Secure Systems Research Group - FAU A Pattern for XML Signature Presented by Keiko Hashizume

Secure Systems Research Group - FAU

A Pattern for XML SignaturePresented by Keiko Hashizume


Outline

• Introduction• A Pattern for WS-Security• Conclusion


Introduction

• Digital signature existed before XML Signature. One of the most common is PKCS#7 Signature.

• Before XML Signature, it was possible to sign XML documents, but it was not possible to express the signature in an XML format. Also, it was not possible to sign only some parts of the document.

• XML Signature was developed by the W3C and the IETF (Internet Engineering Task Force).


A Pattern for WS-Security

• XML Signature standard describes the syntax and the process of generating and validating digital signatures. XML Signature provides message integrity, message authentication, and non-repudiation.

• Context– Users of web services send and receive SOAP

messages through insecure channel such as the Internet.


Problem

• Because SOAP messages travel through insecure channels, they may be intercepted and modified while they are in transit.

• The solution for this problem is affected by the following forces:– We need to express a digital signature in a

standardized XML format, so interoperability can be ensured between applications.


ProblemForces…– Messages may be captured while they are in transit, so we

need to be able to verify if this data was modified. – Messages can be sent and later disavowed, so we need to

prevent senders to deny having sent a specific message.– An XML message, any part of an XML message, or external

resources can be signed. We need a way to refer and locate these elements.

– XML documents may be parsed by different processors, and also XML allows some flexibility without changing the semantic of the message. Thus, we need to convert the data to a standard format.


Solution– Structure - Class Diagram

Structure


Signature Types

• Enveloping Signature


Signature Type

• Enveloped Signature


Signature Type

• Detached Signature


Signature Type

• Detached Signature


– Dynamics

Sequence Diagram for the UC: Sign an XML-Element


Consequences• This pattern presents the following advantages:

– XML Signature describes a common framework for digital signatures.

– Using digest algorithms guarantee that any change in the message will invalidate the signature.

– A signature is generated using the sender’s private key. Because the sender is the only one that knows his private key, he cannot deny signing the data.

– The data being signed is referred by its URI (Uniform Resource Identifier), so elements within XML messages and external resources can be located using their identifiers.

– XML Signature uses canonicalization algorithms to ensure that different representations of XML are transformed into a standard format before applying any digest algorithm.


Consequences• The pattern also has some (possible) liabilities:

– Large overhead because of the use of many types of algorithms such as digest, canonicalization and signature algorithms.


Known UsesSeveral vendors have developed products that support WS-Security.– Xtradyne’s WS-DBC (Web Service Domain Boundary Controller) http://www.xtradyne.com/products/ws-dbc/WSDBCfeatures.htm– IONA Artix www.iona.com/info/aboutus/collateral/Artix%20and%20Security.pdf–Forum Sentry™ http://forumsys.com/products_sentry_specs.htm–SecureXML Digital Signature Web Service http://www.infomosaic.net/Welcome.htm


Related Patterns

–WS-Security Standard uses XML Signature.


Conclusion

• We need to develop patterns for the WS – family such as WS-Policy, WS-Privacy, WS-SecureConversation, WS-Federation, and WS-Authorization.

• We need to develop a pattern diagram describing how this standards are related to each other.

Documents

Secure Systems Research Group - FAU A Pattern for XML Signature Presented by Keiko Hashizume