Home arrow Security arrow Page 18 - Safeguarding the Identity and Integrity of XML Messages

The

XML Signature and XML Encryption, two of the three major pillars of the WS-Security standard, are so predominant in current thinking about Web Services Security that some people mistake them as the only strategy for securing Web services. This is really not the case at all. Read more in this chapter from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, SAMS, 2004).

TABLE OF CONTENTS:
  1. Safeguarding the Identity and Integrity of XML Messages
  2. XML Signature Fundamentals
  3. XML Signature Structure
  4. Types of XML Signatures
  5. The Signature Element Schema
  6. XML Signature Processing
  7. XML Signature Validation
  8. The XML Signature Elements
  9. Canonicalization Actions from Canonical XML Version 1.0
  10. The SignatureMethod Element
  11. The Reference Element
  12. The Transform Element
  13. XPath Filtering Transform
  14. Enveloped Signature Transform
  15. XPath Filter 2.0 Transform
  16. The DigestMethod Element
  17. The Object Element
  18. The Manifest Element
  19. The KeyInfo Element
  20. Security Strategies for XML Signature
  21. Summary
By: Sams Publishing
Poor Best
Rating: starstarstarstarstar / 7
September 09, 2004

print this article

SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

In terms of ocean shipping, a manifest is the list of things that the ship has onboard. In that sense, all the References within SignedInfo are a type of manifest because they list what is included in the XML Signature. Similar to SignedInfo, the Manifest element contains a list of Reference elements (exactly like the Reference elements that are children of SignedInfo). The only difference is that the References referred to in SignedInfo must be validated for the signature to be considered valid. The meaning of a Manifest Reference not validating is left up to you, as the application developer. In other words, you typically have the opportunity to be notified if a problem occurs with validation of the Manifest Reference elements; therefore, you can determine how best to handle the situation.

You might find at least two major uses for the Manifest element:

  • You may want to have more granular control over which References matter and which do not (contextually). For example, you might want it to be okay if two out of three References are valid. You would not be able to accomplish this with SignedInfo alone.

  • For performance reasons, when doing multiple signatures over the same information, you could refer to a Manifest element. The Manifest element would be computed only once, and the References from multiple signatures could point to the one Manifest. This approach could be valuable when multiple signers are signing a contract.

Use of the Manifest element is similar to the Object example described earlier, except that the Manifest element exists at one level below Object, as shown in Listing 4.26.

Listing 4.26 Use of the <Manifest> Element

<Reference URI="#MyManifest"
Type="http://www.w3.org/2000/09/xmldsig#Manifest">
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <DigestValue>. . .</DigestValue>
 </Reference>
 ...
 <Object>
    <Manifest Id="MyManifest">
      <Reference>
        ...
      </Reference>
      <Reference>
        ...
      </Reference>
    </Manifest>
 </Object>

As we mentioned previously, the Reference elements in Manifest are exactly like the Reference elements in SignedInfo, except that it is up to you to decide what to do if the validation on the DigestValue fails.

The SignatureProperties Element

The SignatureProperties element provides a place to put name value information about the signature itself. For example, you often need to know the time of the signature. This is a classic candidate for a signature property. Listing 4.27 shows this type of usage (it is a slightly edited version from an example in the XML Signature specification).

Listing 4.27 Use of the <SignatureProperties> Element

<Signature id="MySignature">
  <SignedInfo>
    ...
    <Reference URI="#AMadeUpTimeStamp"
   Type="http://www.w3.org/2000/09/xmldsig#SignatureProperties">
      <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue>. . .</DigestValue>
    </Reference>
  </SignedInfo>
  ...
  <Object>
    <SignatureProperties>
      <SignatureProperty Id="AMadeUpTimeStamp" Target="#MySignature">
        <timestamp xmlns="http://www.ietf.org/rfcXXXX.txt">
          <date>19990908</date>
          <time>14:34:34:34</time>
        </timestamp>
      </SignatureProperty>
    </SignatureProperties>
  </Object>
</Signature>

Notice that the Reference element points to a specific SignatureProperty within SignatureProperties and specifies a SignatureProperties Type. Also, notice that the Target points back to the Signature that this property is associated with.

That wraps up our discussion of the Object element. It is kind of a quirky element but important in many circumstances.

SamsThis chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.

Buy this book now.



 
 
>>> More Security Articles          >>> More By Sams Publishing
 

blog comments powered by Disqus
   

SECURITY ARTICLES

- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II
- What’s behind the curtain? Part I
- Vectors
- PKI: Looking at the Risks
- A Quick Look at Cross Site Scripting
Find More Security Articles


© 2003-2012 by Developer Shed. All rights reserved. DS Cluster 11 - Follow our Sitemap

Dev Shed Tutorial Topics: