论文信息 - Breaking and fixing the inline approach

Breaking and fixing the inline approach

McIntosh and Austel (SWS 2005, [12] ) have shown that standard semantics of digital signatures in context of WS-Security fail: If parts of the document are signed and the signature verification applied to the whole document returns a Boolean value, then the document can be significantly altered without invalidating the signature. Rahaman, Schaad and Rits (SWS 2006, [15] ) introduce the inline approach against the flaw. We analyze the inline approach and demonstrate weaknesses by the construction of counterexamples. Finally, we study solution ideas that mitigate XML wrapping attacks.

[1] Jon Callas,et al. OpenPGP Message Format , 1998, RFC.

[2] Steven J. DeRose,et al. XML Path Language (XPath) Version 1.0 , 1999 .

[3] P. Wadler. Two semantics for XPath , 2000 .

[4] Abel,et al. A formal semantics of patterns in XSLT , 2000 .

[5] John Boyer. Canonical XML Version 1.0 , 2001, RFC.

[6] Donald E. Eastlake,et al. XML-Signature Syntax and Processing , 2001, RFC.

[7] D. Eastlake,et al. XML Encryption Syntax and Processing , 2003 .

[8] Phillip Hallam-Baker,et al. Web services security: soap message security , 2003 .

[9] Donald E. Eastlake,et al. Exclusive XML Canonicalization, Version 1.0 , 2004, RFC.

[10] Andrew D. Gordon,et al. Verifying policy-based security for web services , 2004, CCS '04.

[11] Andrew D. Gordon,et al. An advisor for web services security policies , 2005, SWS '05.

[12] Michael McIntosh,et al. XML signature element wrapping attacks and countermeasures , 2005, SWS '05.

[13] Andreas Schaad,et al. Towards secure SOAP message exchange in a SOA , 2006, SWS '06.

[14] Mohammad Ashiqur Rahaman. An inline approach for secure SOAP requests and early validation , 2006 .