Home arrow Security arrow Page 12 - Safeguarding the Identity and Integrity of XML Messages


XML Signature and XML Encryption, two of the three major pillars of the WS-Security standard, are so predominant in current thinking about Web Services Security that some people mistake them as the only strategy for securing Web services. This is really not the case at all. Read more in this chapter from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, SAMS, 2004).

  1. Safeguarding the Identity and Integrity of XML Messages
  2. XML Signature Fundamentals
  3. XML Signature Structure
  4. Types of XML Signatures
  5. The Signature Element Schema
  6. XML Signature Processing
  7. XML Signature Validation
  8. The XML Signature Elements
  9. Canonicalization Actions from Canonical XML Version 1.0
  10. The SignatureMethod Element
  11. The Reference Element
  12. The Transform Element
  13. XPath Filtering Transform
  14. Enveloped Signature Transform
  15. XPath Filter 2.0 Transform
  16. The DigestMethod Element
  17. The Object Element
  18. The Manifest Element
  19. The KeyInfo Element
  20. Security Strategies for XML Signature
  21. Summary
By: Sams Publishing
Rating: starstarstarstarstar / 7
September 09, 2004

print this article




Transforms receive the results of dereferencing the Reference URI and alter the results in some way. A Transform algorithm can essentially change anything about the original XML document. Multiple Transforms can appear under a Reference working in a pipeline-type fashion, with the results of one Transform algorithm feeding into the next one. This is an extremely powerful capability but fraught with risk. We discuss this topic later, but the problem is probably obvious: After a Transform occurs, there is no way for a signer or validator to view what has been signed without going through the exact same Transforms in the exact same order. That being said, in some situations Transforms are necessary. You just need to be careful when you use them.

Actually, we already described one type of Transform when we discussed canonicalization algorithms. In the XML Signature specification, five Transforms are mentioned:

  • Canonicalization

  • Base-64

  • XPath Filtering

  • Enveloped Signature Transform

  • XSLT Transform

XML Signature Transforms: Nodeset or Octets? - Remember that Transforms work in a pipeline fashion, taking in the input from the Reference URI or another Transform and outputting to either another Transform or to the final digest algorithm. This brings up a new wrinkle: The results of the Reference URI can be either an XML nodeset or octets (a true 8-bit byte). The digest algorithm needs octets. If only a Reference URI is included and no Transforms, the transformation from an XML nodeset to octets occurs automatically.

When Transforms are being used, however, you sometimes need to be aware of whether a particular Transform algorithm requires a nodeset or octets as input and whether the Transform algorithm outputs an XML nodeset or octets. The Reference URI is always the first input, and there is a basic rule as to whether it will result in an XML nodeset or octets. If it is a same document reference, it will result in an XML nodeset; if it is an external reference, even if the external document is XML, it will be octets. The final Transform must always output octets because that result is required for the digest algorithm. Your tool for converting from an XML nodeset to octets is canonicalization.

Don't sweat this issue too much; most of the conversions are handled for you. Just remember that the digest algorithm needs octets. Therefore, if, after applying one or more Transforms, you end up with an XML nodeset, you may need to add one more Transform, a Canonicalization Transform, to convert the XML nodeset to octets.

Canonicalization Transform

Any canonicalization algorithm that can be used in the CanonicalizationMethod can be used as a Transform. Canonicalization algorithms take XML nodesets as input and output octets.

Base-64 Transform

Base-64 is an algorithm for converting binary data into text, as discussed in Chapter 3. This algorithm maps the binary values to a subset of ASCII values that are human-readable text. See Appendix A for more detailed information on the Base-64 algorithm.

You would use the Base-64 Transform, for example, if the Reference URI were pointing to a GIF image like that in Listing 4.18.

Listing 4.18 A <Reference> URI for a GIF Image Requiring Base-64 Transform

<Reference URI="myPicture.gif">
        Algorithm=http://www.w3.org/2000/09/xmldsig#base64 />
  <DigestAlgorithm ... />
  <DigestValue ... />

The Base-64 Transform takes in octets and outputs octets.

SamsThis chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.

Buy this book now.

>>> More Security Articles          >>> More By Sams Publishing

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II

Developer Shed Affiliates


Dev Shed Tutorial Topics: