Abstract
The XML Signature specification defines a set of algorithms to be used to ensure security and application inter-operability for content signed using an XML Signature. We discuss a limitation of the XML Signature that arises from its extensibility to cater for new algorithms, and that is likely to be encountered in real-world implementations. We propose two ways to use and disseminate newly defined, or custom, transformation algorithms to address this limitation. These involve downloading the algorithm on-demand, or embedding the algorithm in the signature itself. Finally, we highlight a possible vulnerability to attack in the existing XML Signature Core Validation process when using custom transforms, and suggest an extension to the XML Signature standard to remedy this.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bartel, M., Boyer, J., Fox, B., LaMacchia, B., Simon, E.: XML-signature syntax and processing. In: Eastlake, D., Reagle, J., Solo, D. (eds.) W3C Recommendation. WorldWide Web Consortium, February 12 (2002), http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/ (last accessed May 21, 2004)
Beth, T., Frisch, M., Simmons, G.J. (eds.): Public-Key Cryptography: State of the Art and Future Directions. LNCS, vol. 578. Springer, Heidelberg (1992); E.I.S.S.Workshop Oberwolfach Final Report
Bull, L., Stanski, P., McG, D.: Content extraction signatures using XML digital signatures and custom transforms on-demand. In: Proceedings of The 12th International World Wide Web Conference (WWW 2003), Budapest, Hungary, May 20–24, pp. 170–177. ACM Press, New York (2003), http://www2003.org/cdrom/papers/refereed/p838/p838-bull.html (last accessed May 21, 2004)
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Transactions on Information Theory, IT 22(6), 644–654 (1976)
IETF. The Internet Engineering Task Force, Available online, http://www.ietf.org/ (Last accessed May 21, 2004)
LaMacchia, B., Lange, S., Lyons, M., Martin, R., Price, K.:.NET Framework Security. Addison-Wesley, Boston (2002)
LaMacchia, B.: Personal communication (March 25, 2004)
Polivy, D.J., Tamassia, R.: Authenticating distributed data using web services and XML signatures. In: Proceedings of the 2002 ACM workshop on XML security (XMLSEC 2002), November 22, pp. 80–89. ACM Press, New York (2002)
Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2), 120–128 (1978)
Sax, D.: DNS spoofing (malicious cache poisoning) (November 12, 2000), Available online, http://www.giac.org/practical/gsec/DougSaxGSEC.pdf (last accessed May 21, 2004)
Wilhelm, U.G., Staamann, S., Buttyán, L.: On the problem of trust in mobile agent systems. In: Proceedings of the Network and Distributed System Security Symposium (NDSS 1998), San Diego, CA, USA, March 11–13, pp. 114–124. Internet Society (1998)
World Wide Web Consortium. The World Wide Web Consortium, Available online, http://www.w3.org/ (last accessed May 21, 2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bull, L., Squire, D.M. (2004). XML Signature Extensibility Using Custom Transforms. In: Zhou, X., Su, S., Papazoglou, M.P., Orlowska, M.E., Jeffery, K. (eds) Web Information Systems – WISE 2004. WISE 2004. Lecture Notes in Computer Science, vol 3306. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30480-7_12
Download citation
DOI: https://doi.org/10.1007/978-3-540-30480-7_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-23894-2
Online ISBN: 978-3-540-30480-7
eBook Packages: Springer Book Archive