Page 6 - Safeguarding the Identity and Integrity of XML Messages

Dev Shed Forums

Administration
Apache
BrainDump
DHTML
Flash
Java
JavaScript
Multimedia
MySQL
Oracle
Perl
PHP
Practices
Python
Reviews
Security
Style-Sheets
Web Services
XML
Zend
Zope

Forums Sitemap
IBM® developerWorks

Dedicated Servers
E-Commerce Hosting
Linux Web Hosting
Managed Hosting
Small Business Hosting
Download TestComplete
VPS Hosting

Weekly Newsletter
Developer Updates
Free Website Content

Articles

Forums

All Feeds

Write For Us Get Paid

Request Media Kit

Site Map

Privacy Policy
Support

USERNAME

PASSWORD

>>> SIGN UP!

Lost Password?

SECURITY

RSS

Safeguarding the Identity and Integrity of XML Messages

By: Sams Publishing	Search For More Articles! Disclaimer Author Terms
Rating: / 6
2004-09-09

Table of Contents:

Safeguarding the Identity and Integrity of XML Messages

XML Signature Fundamentals

XML Signature Structure

Types of XML Signatures

The Signature Element Schema

XML Signature Processing

XML Signature Validation

The XML Signature Elements

Canonicalization Actions from Canonical XML Version 1.0

The SignatureMethod Element

The Reference Element

The Transform Element

XPath Filtering Transform

Enveloped Signature Transform

XPath Filter 2.0 Transform

The DigestMethod Element

The Object Element

The Manifest Element

The KeyInfo Element

Security Strategies for XML Signature

Summary

	ADD THIS ARTICLE TO:
	Del.ici.ous	Digg
	Blink	Simpy
	Google	Spurl
	Y! MyWeb	Furl

Email Me Similar Content When Posted

Add Developer Shed Article Feed To Your Site

Email Article To Friend

Print Version Of Article

PDF Version Of Article

ADVERTISEMENT

Stay one step ahead of the competition. Evaluate and give feedback on some of the hottest web development tools on the market today. Make your opinion heard! Click Here

Safeguarding the Identity and Integrity of XML Messages - XML Signature Processing
(Page 6 of 21 )

We have reviewed at a high level the XML Signature elements. Now let's review how an XML Signature is created and then subsequently verified before we go into each element in more detail. This process is actually relatively straightforward. The basic steps are described in the following sections. (Note that unless you are writing a signature processing engine, you won't be performing this process yourself. This description is provided mainly so that you understand what is going on under the covers.)

XML Signature Generation

XML Signature generation is broken down into two components: Reference generation and Signature generation.

Reference Generation

When generating an XML Signature, an XML Signature processing engine first creates all the References. This process involves iterating through all the data objects that are to be signed and calculating their digest value. This basic process is as follows:

Obtain the resource specified by the Reference URI or, if not specified, as determined by the application. Note that seeing XML Signatures that do not use that Reference element to refer to what is being signed is rare; however, the specification allows for the possibility that what is being signed is known from the context of the situation and therefore does not have to be specified.
In the example earlier, the reference http://www.foo.com/securePage.html would be dereferenced.
Apply the Transforms.
Transforms were used in the earlier example. A simple Transform might be an XPath statement that causes the signature to apply only to a part of an XML document. We describe Transforms in more detail later in the chapter.
Calculate the Digest using the DigestMethod specified. This step results in the creation of the DigestValue element.
Create the Reference element, including all the sub-elements described previously.

At the end of Reference generation, the XML Signature processing engine will have everything necessary to generate the Reference element. In the simple example used earlier, this looks like Listing 4.9.

Listing 4.9 The XML Signature <Reference> Element

<Reference URI="http://www.foo.com/securePage.html">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestValue>
</Reference>

Signature Generation

After all the Reference elements are created, the XML processing engine can create the Signature itself. To do this, it must gather all the information necessary to create the SignedInfo element, which is what is actually signed in an XML Signature. Here are the steps:

Create the SignedInfo element itself, including the Reference objects created in Reference generation and the CanonicalizationMethod, SignatureMethod, and DigestMethod. The information in SignedInfo is what is actually signed. Listing 4.10 shows the SignedInfo from the earlier example.

Listing 4.10 The <SignedInfo> Element
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2000/WD-xml-c14n-20001011" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="http://www.foo.com/securePage.html">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>60NvZvtdTB+7UnlLp/H24p7h4bs=</DigestValue>
</Reference>
</SignedInfo>
Canonicalize SignedInfo using the CanonicalizationMethod specified. We talk in detail about canonicalization later, but suffice it to say that whenever XML is being signed, it needs to be "normalized" before creating the hash and actually signing the SignedInfo information.
Using the output from the canonicalization algorithm, create a hash of the SignedInfo element using the specified DigestMethod.
Calculate the SignatureValue using the algorithm specified in SignatureMethod against the hashed, canonicalized SignedInfo element that was calculated in step 3. Listing 4.11 shows the SignatureValue element from the earlier example:

Listing 4.11 The <SignatureValue> Element
<SignatureValue>
hTHQJyd3C6ww/OJz07P4bMOgjqBdznSUOsCh6P+0MpF69w2tln/PFLdx/EP4/VKX
</SignatureValue>
Bundle the SignedInfo, SignatureValue, KeyInfo (if supplied), and Object (if necessary) into the Signature element.

You now have an XML Signature. The key point to remember here is that the SignedInfo element is what is really being signed, not the direct resource(s) targeted by the Reference URI(s). Of course, because a digest of the target URI(s) is included in the SignedInfo element, it is being indirectly signed along with the information about the signature in the SignedInfo element.

This chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.
Buy this book now.

Next: XML Signature Validation >>

More Security Articles
More By Sams Publishing

Comments On: Safeguarding the Identity and Integrity of XML Messages

>>> Be the FIRST to comment on this article!

SECURITY ARTICLES

- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II
- What’s behind the curtain? Part I
- Vectors
- PKI: Looking at the Risks
- A Quick Look at Cross Site Scripting
- PKI Architectures: How to Choose One
- Trust, Access Control, and Rights for Web Se...
- Basic Concepts of Web Services Security
- Safeguarding the Identity and Integrity of X...
Find More Security Articles

Accelerating Trading Partner Performance

Competing on Analytics

Cost Effective Scaling with Virtualization and Coyote Point Systems

Five Checkpoints to Implementing IP Telephony

Hosted Email Security: Staying Ahead of New Threats