Page 4 - Safeguarding the Identity and Integrity of XML Messages

Dev Shed Forums

Administration
Apache
BrainDump
DHTML
Flash
Java
JavaScript
Multimedia
MySQL
Oracle
Perl
PHP
Practices
Python
Reviews
Security
Style-Sheets
Web Services
XML
Zend
Zope

Forums Sitemap
IBM® developerWorks

Dedicated Servers
E-Commerce Hosting
Linux Web Hosting
Managed Hosting
Small Business Hosting
Download TestComplete
VPS Hosting

Weekly Newsletter
Developer Updates
Free Website Content

Articles

Forums

All Feeds

Write For Us Get Paid

Request Media Kit

Site Map

Privacy Policy
Support

USERNAME

PASSWORD

>>> SIGN UP!

Lost Password?

SECURITY

RSS

Safeguarding the Identity and Integrity of XML Messages

By: Sams Publishing	Search For More Articles! Disclaimer Author Terms
Rating: / 6
2004-09-09

Table of Contents:

Safeguarding the Identity and Integrity of XML Messages

XML Signature Fundamentals

XML Signature Structure

Types of XML Signatures

The Signature Element Schema

XML Signature Processing

XML Signature Validation

The XML Signature Elements

Canonicalization Actions from Canonical XML Version 1.0

The SignatureMethod Element

The Reference Element

The Transform Element

XPath Filtering Transform

Enveloped Signature Transform

XPath Filter 2.0 Transform

The DigestMethod Element

The Object Element

The Manifest Element

The KeyInfo Element

Security Strategies for XML Signature

Summary

	ADD THIS ARTICLE TO:
	Del.ici.ous	Digg
	Blink	Simpy
	Google	Spurl
	Y! MyWeb	Furl

Email Me Similar Content When Posted

Add Developer Shed Article Feed To Your Site

Email Article To Friend

Print Version Of Article

PDF Version Of Article

ADVERTISEMENT

Stay one step ahead of the competition. Evaluate and give feedback on some of the hottest web development tools on the market today. Make your opinion heard! Click Here

Safeguarding the Identity and Integrity of XML Messages - Types of XML Signatures
(Page 4 of 21 )

As we mentioned previously, when reading about or discussing XML Signature, you will often hear about three different types of XML Signatures: Enveloping, Enveloped, and Detached. In the next three sections, we describe each of these signature types and show you how they work.

Enveloping Signatures

An Enveloping Signature wraps the item that is being signed, as shown in Figure 4.1. Later, we discuss specifically how this is done, but for now suffice it to say that the reference is to an XML element within the Signature element itself. The following simplified example in Listing 4.3 shows what an Enveloping Signature might look like (notice that the URI points to an item within the Signature Object element):

Listing 4.3 A Simplified Enveloping Signature

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<Reference URI="#111" />
</SignedInfo>
<SignatureValue>...</SignatureValue>
<KeyInfo>...</KeyInfo>
<Object>
<SignedItem id="111">Stuff to be signed</SignedItem>
</Object>
</Signature>

Figure 4.1 Structure of an Enveloping Signature.

Enveloped Signatures

In an Enveloped Signature, the reference points to a parent XML element, as shown in Figure 4.2. The following simplified example in Listing 4.4 shows what an Enveloped Signature might look like (notice that the Reference is to an element that is a parent of the Signature):

Listing 4.4 A Simplified Enveloped Signature

<PurchaseOrder id="po1">
<SKU>125356</SKU>
<Quantity>17</Quantity>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<Reference URI="#po1" />
</SignedInfo>
<SignatureValue>...</SignatureValue>
<KeyInfo>...</KeyInfo>
</Signature>
</PurchaseOrder>

Figure 4.2 Structure of an Enveloped Signature.

Detached Signatures

Finally, a Detached Signature points to an XML element or binary file outside the Signature element's hierarchy. In other words, the item being pointed to is neither a child (Enveloping Signature) nor a parent (Enveloped Signature) of the Signature element. Therefore, a Detached Signature could point to an element within the same document, as shown in Figure 4.3, or to a another resource completely outside the current XML document, as shown in Figure 4.4. The following example in Listing 4.5 of a Detached Signature points to another XML element within the same XML document but is not an ancestor or child of the Signature:

Listing 4.5 Structure of a Detached Signature

<PurchaseOrderDocument>
<PurchaseOrder id="po1">
<SKU>12366</SKU>
<Quantity>17</SKU>
</PurchaseOrder>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<Reference URI="#po1" />
</SignedInfo>
<SignatureValue>...</SignatureValue>
<KeyInfo>...</KeyInfo>
</Signature>

Figure 4.3 Structure of a Detached Signature within the same
XML document.

A Detached Signature can also point to an external resource such as another XML document, a node in another XML document, a text file, or generally any type of resource that can be referenced by a URI, as shown in Figure 4.4. The following simplified example in Listing 4.6 of a Detached Signature points to a JPEG file:

Listing 4.6 A Detached Signature of an External JPEG File

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<Reference URI="http://www.foo.com/picture.jpg" />
</SignedInfo>
<SignatureValue>...</SignatureValue>
<KeyInfo>...</KeyInfo>
</Signature>

Figure 4.4 Structure of Detached Signature referencing an
external resource.

Even though these are often called signature types, even in the XML Signature specification, they are really about references. It would be more accurate to describe them as Enveloping Reference, Enveloped Reference, and Detached Reference. Then the next statement becomes more understandable. An XML Signature can be enveloping, enveloped, and detached all at the same time! This means that the Signature element can contain more than one Reference element, and a Reference element can be enveloping, enveloped, or detached.

We wanted to give you the highest level overview of XML Signature and emphasize that XML Signature is mostly just one or more pointers (references) that can point to XML elements, internal or external to the Signature itself, or to an external resource. These pointers are dereferenced and grouped together; then they go through a signature process resulting in a signature. All of this—the pointers, the signature itself, and, optionally, the key information to validate the signature—goes into an XML Signature element.

Now let's go to the next level of detail and explore the different aspects of the Signature element.

This chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.
Buy this book now.

Next: The Signature Element Schema >>

More Security Articles
More By Sams Publishing

Comments On: Safeguarding the Identity and Integrity of XML Messages

>>> Be the FIRST to comment on this article!

SECURITY ARTICLES

- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II
- What’s behind the curtain? Part I
- Vectors
- PKI: Looking at the Risks
- A Quick Look at Cross Site Scripting
- PKI Architectures: How to Choose One
- Trust, Access Control, and Rights for Web Se...
- Basic Concepts of Web Services Security
- Safeguarding the Identity and Integrity of X...
Find More Security Articles

Accelerating Trading Partner Performance

Competing on Analytics

Cost Effective Scaling with Virtualization and Coyote Point Systems

Five Checkpoints to Implementing IP Telephony

Hosted Email Security: Staying Ahead of New Threats