Home arrow Security arrow Page 4 - Safeguarding the Identity and Integrity of XML Messages

Types of XML Signatures - Security

XML Signature and XML Encryption, two of the three major pillars of the WS-Security standard, are so predominant in current thinking about Web Services Security that some people mistake them as the only strategy for securing Web services. This is really not the case at all. Read more in this chapter from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, SAMS, 2004).

TABLE OF CONTENTS:
  1. Safeguarding the Identity and Integrity of XML Messages
  2. XML Signature Fundamentals
  3. XML Signature Structure
  4. Types of XML Signatures
  5. The Signature Element Schema
  6. XML Signature Processing
  7. XML Signature Validation
  8. The XML Signature Elements
  9. Canonicalization Actions from Canonical XML Version 1.0
  10. The SignatureMethod Element
  11. The Reference Element
  12. The Transform Element
  13. XPath Filtering Transform
  14. Enveloped Signature Transform
  15. XPath Filter 2.0 Transform
  16. The DigestMethod Element
  17. The Object Element
  18. The Manifest Element
  19. The KeyInfo Element
  20. Security Strategies for XML Signature
  21. Summary
By: Sams Publishing
Rating: starstarstarstarstar / 7
September 09, 2004

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

As we mentioned previously, when reading about or discussing XML Signature, you will often hear about three different types of XML Signatures: Enveloping, Enveloped, and Detached. In the next three sections, we describe each of these signature types and show you how they work.

Enveloping Signatures

An Enveloping Signature wraps the item that is being signed, as shown in Figure 4.1. Later, we discuss specifically how this is done, but for now suffice it to say that the reference is to an XML element within the Signature element itself. The following simplified example in Listing 4.3 shows what an Enveloping Signature might look like (notice that the URI points to an item within the Signature Object element):

Listing 4.3 A Simplified Enveloping Signature

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
 <SignedInfo>
  <Reference URI="#111" />
 </SignedInfo>
 <SignatureValue>...</SignatureValue>
 <KeyInfo>...</KeyInfo>
 <Object>
   <SignedItem id="111">Stuff to be signed</SignedItem>
 </Object>
</Signature>

Safeguarding the Identity and Integrity of XML Messages

Figure 4.1  Structure of an Enveloping Signature.

Enveloped Signatures

In an Enveloped Signature, the reference points to a parent XML element, as shown in Figure 4.2. The following simplified example in Listing 4.4 shows what an Enveloped Signature might look like (notice that the Reference is to an element that is a parent of the Signature):

Listing 4.4 A Simplified Enveloped Signature

<PurchaseOrder id="po1">
 <SKU>125356</SKU>
 <Quantity>17</Quantity>
 <Signature xmlns="
http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo>
   <Reference URI="#po1" />
  </SignedInfo>
  <SignatureValue>...</SignatureValue>
  <KeyInfo>...</KeyInfo>
 </Signature>
</PurchaseOrder>

Introduction To and Motivation for XML Signature

Figure 4.2  Structure of an Enveloped Signature.

Detached Signatures

Finally, a Detached Signature points to an XML element or binary file outside the Signature element's hierarchy. In other words, the item being pointed to is neither a child (Enveloping Signature) nor a parent (Enveloped Signature) of the Signature element. Therefore, a Detached Signature could point to an element within the same document, as shown in Figure 4.3, or to a another resource completely outside the current XML document, as shown in Figure 4.4. The following example in Listing 4.5 of a Detached Signature points to another XML element within the same XML document but is not an ancestor or child of the Signature:

Listing 4.5 Structure of a Detached Signature

<PurchaseOrderDocument>
 <PurchaseOrder id="po1">
  <SKU>12366</SKU>
  <Quantity>17</SKU>
 </PurchaseOrder>
 <Signature xmlns="
http://www.w3.org/2000/09/xmldsig#">
 <SignedInfo>
  <Reference URI="#po1" />
 </SignedInfo>
 <SignatureValue>...</SignatureValue>
 <KeyInfo>...</KeyInfo>
</Signature>

Introduction To and Motivation for XML Signature

Figure 4.3 Structure of a Detached Signature within the same
XML document.

A Detached Signature can also point to an external resource such as another XML document, a node in another XML document, a text file, or generally any type of resource that can be referenced by a URI, as shown in Figure 4.4. The following simplified example in Listing 4.6 of a Detached Signature points to a JPEG file:

Listing 4.6 A Detached Signature of an External JPEG File

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
 <SignedInfo>
  <Reference URI="
http://www.foo.com/picture.jpg" />
 </SignedInfo>
 <SignatureValue>...</SignatureValue>
 <KeyInfo>...</KeyInfo>
</Signature>

Safeguarding the Identity and Integrity of XML Messages

Figure 4.4  Structure of Detached Signature referencing an
external resource.

Even though these are often called signature types, even in the XML Signature specification, they are really about references. It would be more accurate to describe them as Enveloping Reference, Enveloped Reference, and Detached Reference. Then the next statement becomes more understandable. An XML Signature can be enveloping, enveloped, and detached all at the same time! This means that the Signature element can contain more than one Reference element, and a Reference element can be enveloping, enveloped, or detached.

We wanted to give you the highest level overview of XML Signature and emphasize that XML Signature is mostly just one or more pointers (references) that can point to XML elements, internal or external to the Signature itself, or to an external resource. These pointers are dereferenced and grouped together; then they go through a signature process resulting in a signature. All of this—the pointers, the signature itself, and, optionally, the key information to validate the signature—goes into an XML Signature element.

Now let's go to the next level of detail and explore the different aspects of the Signature element.

SamsThis chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.

Buy this book now.



 
 
>>> More Security Articles          >>> More By Sams Publishing
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

SECURITY ARTICLES

- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: