Zusammenfassung
Die Frage, wie dem so genannten „Präsentationsproblem“ elektronischer Signaturen bei signierten XML-Dokumenten begegnet werden kann, war bereits im Jahr 2003 Thema eines Beitrags in der DuD [32]. Der vorliegende Beitrag zeigt, dass auch der Verifikationsprozess von XML-Signaturen ein Problem für die Beweiskraft elektronischer Signaturen darstellen kann.
Literatur
Gesetz über Rahmenbedingungen für elektronische Signaturen (Signaturgesetz — SigG), BGBl. I S. 876, 16. Mai 2001. http://bundesrecht.juris.de/sigg_2001/index.html
Richtlinie 1999/93/EG des Europäischen Parlaments und des Rates vom 13. Dezember 1999 über gemeinschaftliche Rahmenbedingungen für elektronische Signaturen, 19. Januar 2000. http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&numdoc=31999 L0093&model=guichett&lg=de
A. Jøsang, D. Povey, A. Ho, What You See Is Not Always What You Sign, Australian UNIX User Group, 2002
M. McIntosh, P. Austel, XML signature element wrapping attacks and countermeasures. Workshop on Secure Web Services (SWS 2005), pp. 20–27. ACM Press, New York, NY, USA (2005)
M. Bartel, J. Boyer, B. Fox, B. LaMacchia, E. Simon, XML-Signature Syntax and Processing (Second Edition), W3C Recommendation, Juni 2008. http://www.w3.org/TR/xmldsig-core/
B. Kaliski, PKCS #7: Cryptographic Message Syntax Version 1.5, IETF RFC 2315, März 1998. http://tools.ietf.org/html/rfc2315
T. Berners-Lee, R. Fielding, L. Masinter, Uniform Resource Identifier (URI): Generic Syntax, IETF RFC 3986, Januar 2005. http://tools.ietf.org/html/rfc3986
A. J. Menezes, P. C. van Oorschot, S. A. Vanstone, Handbook of applied cryptography, CRC Press, August 2001. http://www.cacr.math.uwaterloo.ca/hac/
B. Hill, A Taxonomy of Attacks against XML Digital Signatures & Encryption, 2007. http://www.isecpartners.com/files/iSEC_HILL_AttackingXMLSecurity_Handout.pdf
OSCI Leistelle, OCSI-Transport 1.2, 6. Juni 2002. http://www.ocsi.de/
W3C, XML Advanced Electronic Signatures (XAdES), W3C Note, 20. Februar 2003. http://www.w3.org/TR/XAdES/
D. Box, D. Ehnebuske, G. Kakivaya, A. Layman, N. Mendelsohn, H. F. Nielsen, S. Thatte, D. Winer, Simple Object Access Protocol (SOAP) 1.1, W3C Note, 2000
A. Nadalin, C. Kaler, R. Monzillo, P. Hallam-Baker, Web Services Security: SOAP Message Security 1.1 (WS-Security 2004), 2006
T. Imamura, B. Dillaway, E. Simon, XML Encryption Syntax and Processing, W3C Recommendation, Dezember 2002. http://www.w3.org/TR/xmlenc-core/
M. McIntosh, M. Gudgin, K. S. Morrison, A. Barbir, Basic security profile version 1.0, WS-I Organisation, 2007
D. Box, F. Curbera (Editoren), Web Services Addressing (WS-Addressing), W3C Member Submission, August 2004. http://www.w3.org/Submission/ws-addressing/
K. Iwasa, J. Durand, T. Rutt, M. Peel, S. Kunisetty, D. Bunting, WS-Reliability 1.1, OASIS Standard, November 2004. http://www.oasis-open.org/commit tees/tc_home.php? wg_abbrev=wsrm
N. Gruschka, L. Lo Iacono, Vulnerable Cloud: SOAP Message Security Validation Revisited, IEEE ICWS 2009
Amazon Elastic Compute Cloud (EC2), http://aws.amazon.com/ec2
Amazon Elastic Compute Cloud Developer Guide, Using the APIs, Using the SOAP API, http://docs.amazonwebservices.com/AWSEC2/latest/DeveloperGuide/
A. Sotirov, M. Stevens, J. Appelbaum, A. Lenstra, D. Molnar, D. A. Osvik, B. de Weger, MD5 considered harmful today, Dezember 2008. http://www.win.tue.nl/hashclash/rogue-ca/
N. Gruschka, N. Luttenberger, R. Herkenhöner, Event-based SOAP message validation for WS-SecurityPolicy-enriched Web Services, International Conference on Semantic Web & Web Services, 2006
K. Bhargavan, C. Fournet, A. D. Gordon, A semantics forWeb Services authentication. Theoretical Computer Science 340(1), 2005
K. Bhargavan, C. Fournet, A. D. Gordon, G. O’shea, An advisor for Web Services Security policies. Workshop on Secure Web Services (SWS 2005). ACM Press, New York, NY, USA, 2005
A. Nadalin, M. Goodner, M. Gudgin, A. Barbir, H. Granqvist (Editoren), WS-Security Policy 1.2, OASIS Standard, Juli 2007. http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.2/ws-securitypolicy.html
M. A. Rahaman, A. Schaad, M. Rits, Towards secure SOAP message exchange in a SOA. Workshop on Secure Web Services (SWS 2006), ACM Press, New York, NY, USA, 2006
S. Gajek, L. Liao, J. Schwenk, Breaking and fixing the inline approach. Workshop on Secure Web Services (SWS 2007), ACM Press, Fairfax, Virginia, USA, 2007
H. S. Thompson, D. Beech, M. Maloney, N. Mendelsohn (Editoren), XML Schema Part 1: Structures Second Edition, W3C Recommendation, Oktober 2004. http://www.w3.org/TR/xmlschema-1/
E. Christensen, F. Curbera, G. Meredith, S. Weerawarana, Web Services Description Language (WSDL) 1.1, W3C Note, März 2001. http://www.w3.org/TR/wsdl
N. Gruschka, N. Luttenberger, Protecting Web Services from DoS Attacks by SOAP Message Validation, International Information Security Conference (SEC 2006), 2006
S. Gajek, M. Jensen, L. Liao, J. Schwenk, Analysis of Signature Wrapping Attacks and Countermeasures. IEEE ICWS 2009, Los Angeles, CA, USA
Thomas Kunz, Ulrich Pordesch, Andreas U. Schmidt: Das Präsenta tionsproblem der XML-Signatur und seine Lösung durch Profiles, DuD 12/2001, S. 740–745.
D. Fox: Zu einem prinzipiellen Pro blem digitaler Signaturen, DuD 7/1998, S. 386–389.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Gruschka, N., Jensen, M., Iacono, L.L. et al. XML Signature Wrapping Angriffe. DuD 33, 553–560 (2009). https://doi.org/10.1007/s11623-009-0142-z
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11623-009-0142-z