Chapter 4: XML Signature


Overview

It’s no accident that XML Signature was the first XML security standard to reach recommendation status. Although not a Web Services security technology itself, XML Signature is a building block for many Web Services security technologies such as XKMS and WS-Security. Without XML Signature, these would not exist. Just as XML forms the basis of Web Services, XML security (XML Signature and XML Encryption) forms the basis of Web Services security.

We saw in Chapter 2 that in the world of security, digital signatures are highly versatile. When tied to the identity of the signing party, digital signatures are used to provide nonrepudiation. When a digital signature indicates proof of possession of a signing token such as a private key or a smartcard, they can also be used for authentication. Used alone, digital signatures provide data integrity. This is useful not only to provide integrity for data being passed in a SOAP message, but also to provide integrity for security tokens in the SOAP message. In Chapter 6 (SAML) and Chapter 4 (XML Encryption), we will see how XML Signature is used in conjunction with other XML security and Web Services security technologies.

One of the central themes of this book is that security should be considered in terms of high-level requirements first, before dropping down to the implementation technology. This means that rather than first thinking “I need XML Signature for my Web Services,” a security architect should think “I need to ensure the integrity of the data I am receiving through my Web Services, so how best can I enforce that?” XML Signature is one of the ways, but there are others (SSL enforces integrity for data while the SSL session occurs, and IPSec also enforces integrity while data is in transit). Thinking in terms of high-level security principles is not only less confusing, it’s also safer than the low-level approach of throwing brand new security specifications at a problem, without thinking about the problems which they are meant to solve. Simply adding a certain technology to the mix is rarely enough.

On its own, XML Signature provides integrity for data. XML Signature is also important for authentication and nonrepudiation, but it does not provide these functions on its own. For these, it must exist in the context of identity-based security. WS-Security describes how XML Signature can be used to bind a security token to a SOAP message, and, by extension, bind the identity of the signer to a SOAP message.

In a similar vein, XML Signature is a technology that must be implemented correctly if it is to be a valid security tool. It is important to know what is being signed. Conversely, if a signature is being verified, it’s important that the signature is over the appropriate data. Imagine the scenario where a signed SOAP message is received, but the signature is over a meaningless portion of the SOAP message. The signature would still verify correctly, and as a result the data may be wrongly trusted.

When XML Signature is performed as a result of a human decision to sign (for example, when a user sees some data onscreen and presses a “sign” button), there are implications also. The user is making the signing decision based on visual data, but the user may not actually see the underlying XML, which is what is signed. This would raise doubt about the signature’s validity.

XML Signature may also be used for integrity and nonrepudiation of WSDL files also, so that a definition of a Web Service can be published and later trusted to not have been tampered with, or been forged by a third party. XML Signature also finds uses in ebXML, which we will see later.

Used alone, XML Signature provides a useful means of expressing a digital signature over XML data. This is important, but it requires a SOAP binding to be useful for Web Services—in other words, a formal definition of how an XML Signature can be placed into a SOAP message, in order to express a digital signature over an XML payload, or over a security token such as an X.509 certificate. WS-Security provides this SOAP binding for XML Signature.




Web Services Security
Web Services Security
ISBN: 0072224711
EAN: 2147483647
Year: 2003
Pages: 105
Authors: Mark ONeill

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net