Home arrow Security arrow Page 21 - Safeguarding the Identity and Integrity of XML Messages

Summary - Security

XML Signature and XML Encryption, two of the three major pillars of the WS-Security standard, are so predominant in current thinking about Web Services Security that some people mistake them as the only strategy for securing Web services. This is really not the case at all. Read more in this chapter from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, SAMS, 2004).

  1. Safeguarding the Identity and Integrity of XML Messages
  2. XML Signature Fundamentals
  3. XML Signature Structure
  4. Types of XML Signatures
  5. The Signature Element Schema
  6. XML Signature Processing
  7. XML Signature Validation
  8. The XML Signature Elements
  9. Canonicalization Actions from Canonical XML Version 1.0
  10. The SignatureMethod Element
  11. The Reference Element
  12. The Transform Element
  13. XPath Filtering Transform
  14. Enveloped Signature Transform
  15. XPath Filter 2.0 Transform
  16. The DigestMethod Element
  17. The Object Element
  18. The Manifest Element
  19. The KeyInfo Element
  20. Security Strategies for XML Signature
  21. Summary
By: Sams Publishing
Rating: starstarstarstarstar / 7
September 09, 2004

print this article



XML Signature is the latest and greatest technology for you to use to ensure integrity and non-repudiation (to the extent possible). Its remarkable flexibility allows you to sign parts or all of XML documents as well as binary and remote objects.

Despite the depth and size of this chapter, the medium-level concepts behind XML Signature and the way it works are not difficult to understand. An XML Signature is represented by a Signature element. The core elements of an XML Signature are the SignedInfo and SignatureValue elements. The SignedInfo element contains the CanonicalizationMethod, the SignatureMethod, and one or more Reference elements. The Reference elements contain URIs (pointers) to resources to be signed, zero or more Transform elements, a DigestMethod, and a DigestValue. Transforms are algorithms that modify the resource being referenced in some way. The SignedInfo element and all its descendents are canonicalized and signed, using the specified algorithms, with the result put into the SignatureValue element.

In addition to SignedInfo and SignatureValue, a Signature can have two other optional elements: Object and KeyInfo. The Object element is a flexible element typically used to contain items to be signed and/or other information about the Signature. The Object element may contain a SignatureProperties element, which is a place to put properties about an XML Signature such as the time the Signature occurred. Also, an Object element could contain a Manifest, which is a set of Reference elements, formatted exactly like SignedInfo, with the only difference being the application is notified if a Reference from a Manifest fails validation; whereas if a Reference from SignedInfo fails validation, the entire signature fails. KeyInfo provides the key, or a pointer to the key, needed to validate the XML Signature.

The Reference URI is quite flexible and can point to resources in a variety of ways. There are three types of References, also known as XML Signature types: Enveloping Signatures, in which the Signature element wraps the item being signed; Enveloped Signatures, in which the Signature element is a descendent of the resource being signed; and Detached Signatures, in which the resource being pointed to is none of the above. Detached Signatures can have Reference URIs pointing to an XML element within the current document (but not to an ancestor node), to a binary file such as a GIF image, or to all or part of an external XML document.

We have spent extra time on helping you to understand XML Signature primarily because it is the first of the XML Security standards and is fundamental to the newer XML and Web Services Security standards. A good familiarity with XML Signature will help you understand the following standards, as well as provide you with a powerful tool for securing your Web services applications.

In the next chapter, we look at XML Signature's sibling standard: XML Encryption.


  1. XML Signature Specification, http://www.w3.org/TR/xmldsig-core

  2. XPath, XML Path Language (XPath) Version 1.0. W3C Recommendation. J. Clark and S. DeRose. October 1999. http://www.w3.org/TR/1999/REC-xpath-19991116

  3. RFC2440: OpenPGP Message Format. J. Callas, L. Donnerhacke, H. Finney, and R. Thayer. November 1998. http://www.ietf.org/rfc/rfc2440.txt

SamsThis chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.

Buy this book now.

>>> More Security Articles          >>> More By Sams Publishing

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II

Developer Shed Affiliates


Dev Shed Tutorial Topics: