Home arrow Security arrow Page 17 - Safeguarding the Identity and Integrity of XML Messages

The

XML Signature and XML Encryption, two of the three major pillars of the WS-Security standard, are so predominant in current thinking about Web Services Security that some people mistake them as the only strategy for securing Web services. This is really not the case at all. Read more in this chapter from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, SAMS, 2004).

TABLE OF CONTENTS:
  1. Safeguarding the Identity and Integrity of XML Messages
  2. XML Signature Fundamentals
  3. XML Signature Structure
  4. Types of XML Signatures
  5. The Signature Element Schema
  6. XML Signature Processing
  7. XML Signature Validation
  8. The XML Signature Elements
  9. Canonicalization Actions from Canonical XML Version 1.0
  10. The SignatureMethod Element
  11. The Reference Element
  12. The Transform Element
  13. XPath Filtering Transform
  14. Enveloped Signature Transform
  15. XPath Filter 2.0 Transform
  16. The DigestMethod Element
  17. The Object Element
  18. The Manifest Element
  19. The KeyInfo Element
  20. Security Strategies for XML Signature
  21. Summary
By: Sams Publishing
Poor Best
Rating: starstarstarstarstar / 7
September 09, 2004

print this article

SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

We have not talked much about the Object element, but when we described Enveloping Signatures, we were discussing a function that the Object element facilitates. In the case of an Enveloping Signature, the Reference URI points to an element within the Object element. We further describe this use of the Object element later in the chapter.

The Object element is essentially an element in which you put miscellaneous items other than SignedInfo, SignatureValue, and KeyInfo. It is defined in a way that you can put anything you want into it; however, typically one of three things is included within an Object element:

  • Something you want signed, such as an XML fragment or perhaps a Base-64 encoded binary object. This is to implement the Enveloping Signature concept mentioned previously.

  • A Manifest element (described later).

  • A SignatureProperties element (described later).

Tip - Remember that none of these items are inherently signed and therefore secured by the XML Signature. For these elements to be signed, they must be referred to by one of the Reference URIs in the SignedInfo section of the signature.

Listing 4.25 uses an Object element in the Enveloping Signature scenario.

Listing 4.25 An <Object> Element Used in the Enveloping Signature Scenario

<Signature>
  <SignedInfo>
  ...
  <Reference URI="#MyOrder"
    Type="http://www.w3.org/2000/09/xmldsig#Object">
    <DigestMethod
        Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <DigestValue>...</DigestValue>
  </Reference>
 </SignedInfo>
 ...
 <Object id="MyOrder">
    <Order>
      <LineItem sku="12348">Web Service Security Book</LineItem>
      <LineItem sku="2345">Life as a Geek Book</LineItem>
    <Order>
 </Object>
</Signature>

Note - In this example, the Object start and end tags would be included in the digest calculation for the Reference. If you do not want the Object tags to be included in the digest calculation, either

  • The Reference URI should point to the element below the Object tag that is to be signed.

    or

  • An XPath statement should exclude the Object tag.

    First, notice that the Reference URI points to an ID (MyOrder) of an Object element. Also, notice that a Type parameter is included in the Reference to provide information about what the Reference is pointing to. We deferred mentioning this point when describing the Reference element.

    The following three Type attributes are mentioned in the XML Signature specification; they all relate to items that can be contained within an Object element or the Object element itself:

    • Object (Type="http://www.w3.org/2000/09/xmldsig#Object")—The reference is to an Object element.

    • Manifest (Type="http://www.w3.org/2000/09/xmldsig#Manifest")—The reference is to a Manifest element (see the Manifest Element section next in this chapter for more information on the Manifest element).

    • SignatureProperties (Type="http://www.w3.org/2000/09/ xmldsig#SignatureProperties")—The reference is to a SignatureProperties element (see the Signature Properties section later in this chapter for more information on SignatureProperties).

    The Object element, when used in an Enveloped Signature scenario like this, can also have attributes for MimeType and Encoding. For example, if the enveloped item is a GIF image, your Object tag might look like this:

    <Object id="MyGif" MimeType="image/gif" Encoding="base64">
    ... a string of base64 characters ...
    </Object>

    You can have as many Object elements as you want. You typically create a single Object tag for each use. So, for example, if you have a signed Object and you have SignatureProperties (which is always within an Object), you have two Object elements.

    Now let's discuss the two optional children of the Object tag: Manifest and SignatureProperties.

    SamsThis chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.

    Buy this book now.



     
     
    >>> More Security Articles          >>> More By Sams Publishing
     

    blog comments powered by Disqus
    •    

    SECURITY ARTICLES

    - Secure Your Business for Data Privacy Day
    - Google Testing Security Fob Password Alterna...
    - Security News Highlights Concerns
    - Going to Extremes for Data Security
    - Skipfish Website Vulnerability Scanner
    - Critical Microsoft Visual Studio Security Pa...
    - US Faces Tech Security Expert Deficit
    - LAN Reconnaissance
    - An Epilogue to Cryptography
    - A Sequel to Cryptography
    - An Introduction to Cryptography
    - Security Overview
    - Network Security Assessment
    - Firewalls
    - What’s behind the curtain? Part II
    Find More Security Articles

    Developer Shed Affiliates

     

    © 2003-2013 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap

    Dev Shed Tutorial Topics: