Page 7 - Safeguarding the Identity and Integrity of XML Messages

Dev Shed Forums

Administration
Apache
BrainDump
DHTML
Flash
Java
JavaScript
Multimedia
MySQL
Oracle
Perl
PHP
Practices
Python
Reviews
Security
Style-Sheets
Web Services
XML
Zend
Zope

Forums Sitemap
IBM® developerWorks

Dedicated Servers
E-Commerce Hosting
Linux Web Hosting
Managed Hosting
Small Business Hosting
Download TestComplete
VPS Hosting

Weekly Newsletter
Developer Updates
Free Website Content

Articles

Forums

All Feeds

Write For Us Get Paid

Request Media Kit

Site Map

Privacy Policy
Support

USERNAME

PASSWORD

>>> SIGN UP!

Lost Password?

SECURITY

RSS

Safeguarding the Identity and Integrity of XML Messages

By: Sams Publishing	Search For More Articles! Disclaimer Author Terms
Rating: / 6
2004-09-09

Table of Contents:

Safeguarding the Identity and Integrity of XML Messages

XML Signature Fundamentals

XML Signature Structure

Types of XML Signatures

The Signature Element Schema

XML Signature Processing

XML Signature Validation

The XML Signature Elements

Canonicalization Actions from Canonical XML Version 1.0

The SignatureMethod Element

The Reference Element

The Transform Element

XPath Filtering Transform

Enveloped Signature Transform

XPath Filter 2.0 Transform

The DigestMethod Element

The Object Element

The Manifest Element

The KeyInfo Element

Security Strategies for XML Signature

Summary

	ADD THIS ARTICLE TO:
	Del.ici.ous	Digg
	Blink	Simpy
	Google	Spurl
	Y! MyWeb	Furl

Email Me Similar Content When Posted

Add Developer Shed Article Feed To Your Site

Email Article To Friend

Print Version Of Article

PDF Version Of Article

ADVERTISEMENT

Stay one step ahead of the competition. Evaluate and give feedback on some of the hottest web development tools on the market today. Make your opinion heard! Click Here

Safeguarding the Identity and Integrity of XML Messages - XML Signature Validation
(Page 7 of 21 )

The process to validate an XML Signature is similar, except that it occurs in reverse. It is composed of two major processes like Signature generation: Reference validation and Signature validation. The goal of Reference validation is to ensure that the resource being pointed to by each Reference has not been changed. The goal of Signature validation is to ensure that the entire SignedInfo block has not been changed. Only if both of these processes succeed is integrity confirmed for the entire Signature.

Reference Validation

For Reference validation, you need to validate that the resources pointed to by the Reference elements have not changed. The first step is to canonicalize the SignedInfo element based on the CanonicalizationMethod element. Then the following steps are completed for each Reference element in the SignedInfo.

Get the data that is pointed to in the Reference. This will either be from the URI attribute, or as we mentioned above, it may be supplied by the application calling the XML Signature processing engine.
Apply any Transforms to the data returned. For example, if the Reference URI points to an XML document, it is likely that a Canonicalization Transform will be specified in the Reference element.
Create a hash of the data using the DigestMethod specified in the Reference.
Compare the resulting hash with the DigestValue in the Reference. If there is any difference, the validation fails.

Signature Validation

If Reference validation is successful, the XML Processing engine can proceed to Signature validation. The objective of the Signature validation step is to confirm that SignedInfo has not been changed (integrity) and, as in any digital signature verification, that the appropriate key has signed this information (that is, non-repudiation). Here are the steps for Signature validation:

Obtain the key for verification from the KeyInfo block, or in some other manner. Note that it is critical to determine trust for this key—ensuring that it is certainly bound to the expected identity. You learn more about this topic in Chapter 9, "Trust, Access Control, and Rights for Web Services."
Using the output of the SignedInfo canonicalization, create a hash of the SignedInfo.
Using the verification key, decrypt the SignedInfo element. Compare the hash from step 2 to the result of this verification. If they do not match, Signature validation has failed.

This chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.
Buy this book now.

Next: The XML Signature Elements >>

More Security Articles
More By Sams Publishing

Comments On: Safeguarding the Identity and Integrity of XML Messages

>>> Be the FIRST to comment on this article!

SECURITY ARTICLES

- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II
- What’s behind the curtain? Part I
- Vectors
- PKI: Looking at the Risks
- A Quick Look at Cross Site Scripting
- PKI Architectures: How to Choose One
- Trust, Access Control, and Rights for Web Se...
- Basic Concepts of Web Services Security
- Safeguarding the Identity and Integrity of X...
Find More Security Articles

Accelerating Trading Partner Performance

Competing on Analytics

Cost Effective Scaling with Virtualization and Coyote Point Systems

Five Checkpoints to Implementing IP Telephony

Hosted Email Security: Staying Ahead of New Threats