Home arrow Security arrow Page 7 - Safeguarding the Identity and Integrity of XML Messages

XML Signature Validation - Security

XML Signature and XML Encryption, two of the three major pillars of the WS-Security standard, are so predominant in current thinking about Web Services Security that some people mistake them as the only strategy for securing Web services. This is really not the case at all. Read more in this chapter from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, SAMS, 2004).

  1. Safeguarding the Identity and Integrity of XML Messages
  2. XML Signature Fundamentals
  3. XML Signature Structure
  4. Types of XML Signatures
  5. The Signature Element Schema
  6. XML Signature Processing
  7. XML Signature Validation
  8. The XML Signature Elements
  9. Canonicalization Actions from Canonical XML Version 1.0
  10. The SignatureMethod Element
  11. The Reference Element
  12. The Transform Element
  13. XPath Filtering Transform
  14. Enveloped Signature Transform
  15. XPath Filter 2.0 Transform
  16. The DigestMethod Element
  17. The Object Element
  18. The Manifest Element
  19. The KeyInfo Element
  20. Security Strategies for XML Signature
  21. Summary
By: Sams Publishing
Rating: starstarstarstarstar / 7
September 09, 2004

print this article



The process to validate an XML Signature is similar, except that it occurs in reverse. It is composed of two major processes like Signature generation: Reference validation and Signature validation. The goal of Reference validation is to ensure that the resource being pointed to by each Reference has not been changed. The goal of Signature validation is to ensure that the entire SignedInfo block has not been changed. Only if both of these processes succeed is integrity confirmed for the entire Signature.

Reference Validation

For Reference validation, you need to validate that the resources pointed to by the Reference elements have not changed. The first step is to canonicalize the SignedInfo element based on the CanonicalizationMethod element. Then the following steps are completed for each Reference element in the SignedInfo.

  1. Get the data that is pointed to in the Reference. This will either be from the URI attribute, or as we mentioned above, it may be supplied by the application calling the XML Signature processing engine.

  2. Apply any Transforms to the data returned. For example, if the Reference URI points to an XML document, it is likely that a Canonicalization Transform will be specified in the Reference element.

  3. Create a hash of the data using the DigestMethod specified in the Reference.

  4. Compare the resulting hash with the DigestValue in the Reference. If there is any difference, the validation fails.

Signature Validation

If Reference validation is successful, the XML Processing engine can proceed to Signature validation. The objective of the Signature validation step is to confirm that SignedInfo has not been changed (integrity) and, as in any digital signature verification, that the appropriate key has signed this information (that is, non-repudiation). Here are the steps for Signature validation:

  1. Obtain the key for verification from the KeyInfo block, or in some other manner. Note that it is critical to determine trust for this key—ensuring that it is certainly bound to the expected identity. You learn more about this topic in Chapter 9, "Trust, Access Control, and Rights for Web Services."

  2. Using the output of the SignedInfo canonicalization, create a hash of the SignedInfo.

  3. Using the verification key, decrypt the SignedInfo element. Compare the hash from step 2 to the result of this verification. If they do not match, Signature validation has failed.

SamsThis chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.

Buy this book now.

>>> More Security Articles          >>> More By Sams Publishing

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II

Developer Shed Affiliates


Dev Shed Tutorial Topics: