XSpRES - Robust and Effective XML Signatures for Web Services

Christian Mainka, Meiko Jensen, Luigi Lo Iacono, Jörg Schwenk

2012

Abstract

XML Encryption and XML Signature are fundamental security standards forming the core for many applications which require to process XML-based data. Due to the increased usage of XML in distributed systems and platforms such as in SOA and Cloud settings, the demand for robust and effective security mechanisms increased as well. Recent research work discovered, however, substantial vulnerabilities in these standards as well as in the vast majority of the available implementations. Amongst them, the so-called XML Signature Wrapping attack belongs to the most relevant ones. With the many possible instances of this attack type, it is feasible to annul security systems relying on XML Signature and to gain access to protected resources as has been successfully demonstrated lately for various Cloud infrastructures and services. This paper contributes a comprehensive approach to robust and effective XML Signatures for SOAP-based Web Services. An architecture is proposed, which integrates the required enhancements to ensure a fail-safe and robust signature generation and verification. Following this architecture, a hardened XML Signature library has been implemented. The obtained evaluation results show that the developed concept and library provide the targeted robustness against all kinds of known XML Signature Wrapping attacks. Furthermore the empirical results underline, that these security merits are obtained at low efficiency and performance costs as well as remain compliant with the underlying standards.

References

  1. Bartel, M., Boyer, J., Fox, B., LaMacchia, B., and Simon, E. (2008). XML Signature Syntax and Processing. W3C Recommendation.
  2. Bhargavan, K., Fournet, C., and Gordon, A. D. (2005a). A semantics for Web Services authentication. Theoretical Computer Science, 340(1):102-153.
  3. Bhargavan, K., Fournet, C., Gordon, A. D., and O'Shea, G. (2005b). An advisor for Web Services Security policies. In SWS 7805: Proceedings of the 2005 Workshop on Secure Web Services, pages 1-9, New York, NY, USA. ACM Press.
  4. Gajek, S., Jensen, M., Liao, L., and Schwenk, J. (2009). Analysis of signature wrapping attacks and countermeasures. In ICWS, pages 575-582.
  5. Gajek, S., Liao, L., and Schwenk, J. (2007). Breaking and fixing the inline approach. In Proceedings of the 2007 ACM Workshop on Secure Web Services (SWS'07), pages 37-42, Fairfax, Virginia, USA. Association for Computing Machinery.
  6. Gruschka, N., Jensen, M., Lo Iacono, L., and Luttenberger, N. (2011). Server-side streaming processing of wssecurity. IEEE T. Services Computing, 4(4):272-285.
  7. Gruschka, N. and Lo Iacono, L. (2009). Vulnerable Cloud: SOAP Message Security Validation Revisited. In ICWS 7809: Proceedings of the IEEE International Conference on Web Services, Los Angeles, USA. IEEE.
  8. Gudgin, M., Hadley, M., and Rogers, T. (2006). Web Services Addressing 1.0 - SOAP Binding. W3C Recommendation.
  9. Imamura, T., Dillaway, B., and Simon, E. (2002). XML Encryption Syntax and Processing. W3C Recommendation.
  10. Jensen, M. (2011). Analysis of Attacks and Defenses in the Context of Web Services. PhD thesis, Ruhr-University Bochum.
  11. Jensen, M., Liao, L., and Schwenk, J. (2009). The curse of namespaces in the domain of xml signature. In SWS, pages 29-36.
  12. Jensen, M., Meyer, C., Somorovsky, J., and Schwenk, J. (2011). On the effectiveness of xml schema validation for countering xml signature wrapping attacks. In First International Workshop on Securing Services on the Cloud (IWSSC 2011).
  13. Kaler, C. and Nadalin, A. (2005). Web Services Security Policy Language (WS-SecurityPolicy) 1.1.
  14. Lawrence, K. and Kaler, C. (2007). Web Services Security Policy Language (WS-SecurityPolicy) 1.2.
  15. McIntosh, M. and Austel, P. (2005). XML signature element wrapping attacks and countermeasures. In SWS 7805: Proceedings of the 2005 Workshop on Secure Web Services, pages 20-27, New York, NY, USA. ACM Press.
  16. Rahaman, M. A., Schaad, A., and Rits, M. (2006). Towards secure SOAP message exchange in a SOA. In SWS 7806: Proceedings of the 3rd ACM workshop on Secure Web Services, pages 77-84, New York, NY, USA. ACM Press.
  17. Somorovsky, J., Heiderich, M., Jensen, M., Schwenk, J., Gruschka, N., and Lo Iacono, L. (2011). All your clouds are belong to us security analysis of cloud management interfaces. In Proceedings of the ACM Cloud Computing Security Workshop (CCSW).
  18. Somorovsky, J., Jensen, M., and Schwenk, J. (2010). Streaming-based verification of xml signatures in soap messages. In Proceedings of the 2010 6th World Congress on Services, SERVICES 7810, pages 637- 644, Washington, DC, USA. IEEE Computer Society.
  19. Ticau, S.-A. (2010). Security - a centrail issue of the future EU digital agenda. Service Oriented Architecture pushed to the limit in eGovernment.
Download


Paper Citation


in Harvard Style

Mainka C., Jensen M., Lo Iacono L. and Schwenk J. (2012). XSpRES - Robust and Effective XML Signatures for Web Services . In Proceedings of the 2nd International Conference on Cloud Computing and Services Science - Volume 1: CLOSER, ISBN 978-989-8565-05-1, pages 187-197. DOI: 10.5220/0003925701870197


in Bibtex Style

@conference{closer12,
author={Christian Mainka and Meiko Jensen and Luigi Lo Iacono and Jörg Schwenk},
title={XSpRES - Robust and Effective XML Signatures for Web Services},
booktitle={Proceedings of the 2nd International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,},
year={2012},
pages={187-197},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003925701870197},
isbn={978-989-8565-05-1},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,
TI - XSpRES - Robust and Effective XML Signatures for Web Services
SN - 978-989-8565-05-1
AU - Mainka C.
AU - Jensen M.
AU - Lo Iacono L.
AU - Schwenk J.
PY - 2012
SP - 187
EP - 197
DO - 10.5220/0003925701870197