Home arrow Security arrow Safeguarding the Identity and Integrity of XML Messages

Safeguarding the Identity and Integrity of XML Messages

XML Signature and XML Encryption, two of the three major pillars of the WS-Security standard, are so predominant in current thinking about Web Services Security that some people mistake them as the only strategy for securing Web services. This is really not the case at all. Read more in this chapter from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, SAMS, 2004).

TABLE OF CONTENTS:
  1. Safeguarding the Identity and Integrity of XML Messages
  2. XML Signature Fundamentals
  3. XML Signature Structure
  4. Types of XML Signatures
  5. The Signature Element Schema
  6. XML Signature Processing
  7. XML Signature Validation
  8. The XML Signature Elements
  9. Canonicalization Actions from Canonical XML Version 1.0
  10. The SignatureMethod Element
  11. The Reference Element
  12. The Transform Element
  13. XPath Filtering Transform
  14. Enveloped Signature Transform
  15. XPath Filter 2.0 Transform
  16. The DigestMethod Element
  17. The Object Element
  18. The Manifest Element
  19. The KeyInfo Element
  20. Security Strategies for XML Signature
  21. Summary
By: Sams Publishing
Rating: starstarstarstarstar / 7
September 09, 2004

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

Securing Web Services with WS-SecurityIntroduction to and Motivation for XML Signature

Chapter 2, "The Foundations of Web Services," and Chapter 3, "The Foundations of Distributed Message-Level Security," provided an overview of Web services (including XML) and security concepts. This chapter and the next bring two of the key security principles—confidentiality and integrity—into the world of XML. Confidentiality, in the world of XML, manifests itself as XML Encryption. Integrity manifests itself as XML Signature. XML Signature and XML Encryption are fundamental strategies for securing XML and are pillars of WS-Security. Because XML is one of the foundations of Web services, it follows that these two technologies are extremely important to understand and apply when you are implementing secure Web services.

A W3C Standard

XML Signature (as discussed in Chapter 3) is a joint standard of the IETF and the W3C for digitally signing all of an XML document, part of an XML document, or even an external object. Similarly, XML Encryption is a W3C standard, which followed XML Signature, for encrypting all of an XML document, part of an XML document, or an external object. Actually, you can sign or encrypt pretty much anything you can point to with a URL.

Critical Building Block for WS-Security

XML Signature and XML Encryption are fundamental to the next generation of emerging standards that use these two standards as building blocks. For example, WS-Security, the emerging OASIS standard for Web services security; XML Key Management Specification (XKMS), and Security Assertion Markup Language (SAML), among many others, all rely on XML Signature and/or XML Encryption.

Close Associations with Web Services Security

XML Signature and XML Encryption, two of the three major pillars of the WS-Security standard, are so predominant in current thinking about Web Services Security that some people mistake them as the only strategy for securing Web services. This is really not the case at all. When reading Chapter 3, you probably realized that Web Services Security must involve a broad spectrum of security technologies and strategies. Web services involve active use of XML messages across trust domains. Securing the message itself is critical, but it represents only one aspect of the whole Web Services Security picture.

That being said, we encourage you to pay special attention to the information in this chapter and, if you are interested in more detail, to pick up a book that treats this subject in more depth—for example, Secure XML by Donald Eastlake and Kitty Niles(Addison Wesley 2002).

The Goal of Ensuring Integrity (and Usually Identity) and Non-repudiation Persistently

XML Signature technology, like digital signature, is a tool for ensuring integrity and, usually, identity and non-repudiation. XML Signature takes the building block of digital signature as described in Chapter 3 and greatly expands upon it, taking advantage of the power and flexibility of XML as well as key Web technologies (such as URLs) to sign almost any type of resource, whether an XML document, a part of an XML document, or a non-XML object such as an image.

XML Signature and XML Encryption: Fundamental Web Services Security Technologies

You might think that Web Services Security in relationship to XML Encryption and XML Signature is about encrypting and digitally signing SOAP messages. This aspect of the application of these two technologies is certainly important, and this usage is well covered in this book; however, this probably will not be the most important usage for you, as a developer or administrator of Web services, at least in the near future. Web services containers or special Web services firewalls help manage this complexity by signing/encrypting or verifying/decrypting all or parts of the SOAP message based on policies you configure. It really does not make sense for Web services developers to have to worry about the blocking and tackling involved in securing the SOAP payload uniquely for every application and/or operation within a Web service. This operation will become part of the infrastructure. As a Web services developer, you should be able to focus on the SOAP payload itself, which is an XML document. Much of your direct use of XML Signature and XML Encryption will be for your applications themselves to take advantage of the power of these technologies to enrich the functionality of your systems.

The goal of this chapter is to inform you how XML Signature works while not burying you with too much detail. This standard is powerful and complex, so we focus on the parts that we think will be most applicable.

SamsThis chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.

Buy this book now.



 
 
>>> More Security Articles          >>> More By Sams Publishing
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

SECURITY ARTICLES

- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: