A Pattern for XML Signature

1
A Pattern for XML Signature

• Presented by Keiko Hashizume

2
Outline

• Introduction
• A Pattern for WS-Security
• Conclusion

3
Introduction

• Digital signature existed before XML Signature.
  One of the most common is PKCS7 Signature.
• Before XML Signature, it was possible to sign XML
  documents, but it was not possible to express the
  signature in an XML format. Also, it was not
  possible to sign only some parts of the document.
• XML Signature was developed by the W3C and the
  IETF (Internet Engineering Task Force).

4
A Pattern for WS-Security

• XML Signature standard describes the syntax and
  the process of generating and validating digital
  signatures. XML Signature provides message
  integrity, message authentication, and
  non-repudiation.
• Context
• Users of web services send and receive SOAP
  messages through insecure channel such as the
  Internet.

5
Problem

• Because SOAP messages travel through insecure
  channels, they may be intercepted and modified
  while they are in transit.
• The solution for this problem is affected by the
  following forces
• We need to express a digital signature in a
  standardized XML format, so interoperability can
  be ensured between applications.

6
Problem

• Forces
• Messages may be captured while they are in
  transit, so we need to be able to verify if this
  data was modified.
• Messages can be sent and later disavowed, so we
  need to prevent senders to deny having sent a
  specific message.
• An XML message, any part of an XML message, or
  external resources can be signed. We need a way
  to refer and locate these elements.
• XML documents may be parsed by different
  processors, and also XML allows some flexibility
  without changing the semantic of the message.
  Thus, we need to convert the data to a standard
  format.

7

• Solution
• Structure - Class Diagram

Structure
8
Signature Types

• Enveloping Signature

9
Signature Type

• Enveloped Signature

10
Signature Type

• Detached Signature

11
Signature Type

• Detached Signature

12

• Dynamics

Sequence Diagram for the UC Sign an XML-Element
13
Consequences

• This pattern presents the following advantages
• XML Signature describes a common framework for
  digital signatures.
• Using digest algorithms guarantee that any change
  in the message will invalidate the signature.
• A signature is generated using the senders
  private key. Because the sender is the only one
  that knows his private key, he cannot deny
  signing the data.
• The data being signed is referred by its URI
  (Uniform Resource Identifier), so elements within
  XML messages and external resources can be
  located using their identifiers.
• XML Signature uses canonicalization algorithms to
  ensure that different representations of XML are
  transformed into a standard format before
  applying any digest algorithm.

14
Consequences

• The pattern also has some (possible) liabilities
• Large overhead because of the use of many types
  of algorithms such as digest, canonicalization
  and signature algorithms.

15
Known Uses

• Several vendors have developed products that
  support WS-Security.
• Xtradynes WS-DBC (Web Service Domain Boundary
  Controller) http//www.xtradyne.com/products/ws-db
  c/WSDBCfeatures.htm
• IONA Artix www.iona.com/info/aboutus/collateral/A
  rtix20and20Security.pdf
• Forum Sentry http//forumsys.com/products_sentry_
  specs.htm
• SecureXML Digital Signature Web Service
  http//www.infomosaic.net/Welcome.htm

16
Related Patterns

• WS-Security Standard uses XML Signature.

17
Conclusion

• We need to develop patterns for the WS family
  such as WS-Policy, WS-Privacy, WS-SecureConversati
  on, WS-Federation, and WS-Authorization.
• We need to develop a pattern diagram describing
  how this standards are related to each other.