Skip to main content
SpringerLink
Log in

XML Signature Wrapping Angriffe

What you process is not always what you verify

  • Aufsätze
  • Published:
Datenschutz und Datensicherheit - DuD Aims and scope Submit manuscript

Zusammenfassung

Die Frage, wie dem so genannten „Präsentationsproblem“ elektronischer Signaturen bei signierten XML-Dokumenten begegnet werden kann, war bereits im Jahr 2003 Thema eines Beitrags in der DuD [32]. Der vorliegende Beitrag zeigt, dass auch der Verifikationsprozess von XML-Signaturen ein Problem für die Beweiskraft elektronischer Signaturen darstellen kann.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Literatur

  1. Gesetz über Rahmenbedingungen für elektronische Signaturen (Signaturgesetz — SigG), BGBl. I S. 876, 16. Mai 2001. http://bundesrecht.juris.de/sigg_2001/index.html

  2. Richtlinie 1999/93/EG des Europäischen Parlaments und des Rates vom 13. Dezember 1999 über gemeinschaftliche Rahmenbedingungen für elektronische Signaturen, 19. Januar 2000. http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&numdoc=31999 L0093&model=guichett&lg=de

  3. A. Jøsang, D. Povey, A. Ho, What You See Is Not Always What You Sign, Australian UNIX User Group, 2002

  4. M. McIntosh, P. Austel, XML signature element wrapping attacks and countermeasures. Workshop on Secure Web Services (SWS 2005), pp. 20–27. ACM Press, New York, NY, USA (2005)

    Chapter  Google Scholar 

  5. M. Bartel, J. Boyer, B. Fox, B. LaMacchia, E. Simon, XML-Signature Syntax and Processing (Second Edition), W3C Recommendation, Juni 2008. http://www.w3.org/TR/xmldsig-core/

  6. B. Kaliski, PKCS #7: Cryptographic Message Syntax Version 1.5, IETF RFC 2315, März 1998. http://tools.ietf.org/html/rfc2315

  7. T. Berners-Lee, R. Fielding, L. Masinter, Uniform Resource Identifier (URI): Generic Syntax, IETF RFC 3986, Januar 2005. http://tools.ietf.org/html/rfc3986

  8. A. J. Menezes, P. C. van Oorschot, S. A. Vanstone, Handbook of applied cryptography, CRC Press, August 2001. http://www.cacr.math.uwaterloo.ca/hac/

  9. B. Hill, A Taxonomy of Attacks against XML Digital Signatures & Encryption, 2007. http://www.isecpartners.com/files/iSEC_HILL_AttackingXMLSecurity_Handout.pdf

  10. OSCI Leistelle, OCSI-Transport 1.2, 6. Juni 2002. http://www.ocsi.de/

  11. W3C, XML Advanced Electronic Signatures (XAdES), W3C Note, 20. Februar 2003. http://www.w3.org/TR/XAdES/

  12. D. Box, D. Ehnebuske, G. Kakivaya, A. Layman, N. Mendelsohn, H. F. Nielsen, S. Thatte, D. Winer, Simple Object Access Protocol (SOAP) 1.1, W3C Note, 2000

  13. A. Nadalin, C. Kaler, R. Monzillo, P. Hallam-Baker, Web Services Security: SOAP Message Security 1.1 (WS-Security 2004), 2006

  14. T. Imamura, B. Dillaway, E. Simon, XML Encryption Syntax and Processing, W3C Recommendation, Dezember 2002. http://www.w3.org/TR/xmlenc-core/

  15. M. McIntosh, M. Gudgin, K. S. Morrison, A. Barbir, Basic security profile version 1.0, WS-I Organisation, 2007

  16. D. Box, F. Curbera (Editoren), Web Services Addressing (WS-Addressing), W3C Member Submission, August 2004. http://www.w3.org/Submission/ws-addressing/

  17. K. Iwasa, J. Durand, T. Rutt, M. Peel, S. Kunisetty, D. Bunting, WS-Reliability 1.1, OASIS Standard, November 2004. http://www.oasis-open.org/commit tees/tc_home.php? wg_abbrev=wsrm

  18. N. Gruschka, L. Lo Iacono, Vulnerable Cloud: SOAP Message Security Validation Revisited, IEEE ICWS 2009

  19. Amazon Elastic Compute Cloud (EC2), http://aws.amazon.com/ec2

  20. Amazon Elastic Compute Cloud Developer Guide, Using the APIs, Using the SOAP API, http://docs.amazonwebservices.com/AWSEC2/latest/DeveloperGuide/

  21. A. Sotirov, M. Stevens, J. Appelbaum, A. Lenstra, D. Molnar, D. A. Osvik, B. de Weger, MD5 considered harmful today, Dezember 2008. http://www.win.tue.nl/hashclash/rogue-ca/

  22. N. Gruschka, N. Luttenberger, R. Herkenhöner, Event-based SOAP message validation for WS-SecurityPolicy-enriched Web Services, International Conference on Semantic Web & Web Services, 2006

  23. K. Bhargavan, C. Fournet, A. D. Gordon, A semantics forWeb Services authentication. Theoretical Computer Science 340(1), 2005

  24. K. Bhargavan, C. Fournet, A. D. Gordon, G. O’shea, An advisor for Web Services Security policies. Workshop on Secure Web Services (SWS 2005). ACM Press, New York, NY, USA, 2005

    Google Scholar 

  25. A. Nadalin, M. Goodner, M. Gudgin, A. Barbir, H. Granqvist (Editoren), WS-Security Policy 1.2, OASIS Standard, Juli 2007. http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.2/ws-securitypolicy.html

  26. M. A. Rahaman, A. Schaad, M. Rits, Towards secure SOAP message exchange in a SOA. Workshop on Secure Web Services (SWS 2006), ACM Press, New York, NY, USA, 2006

    Google Scholar 

  27. S. Gajek, L. Liao, J. Schwenk, Breaking and fixing the inline approach. Workshop on Secure Web Services (SWS 2007), ACM Press, Fairfax, Virginia, USA, 2007

    Google Scholar 

  28. H. S. Thompson, D. Beech, M. Maloney, N. Mendelsohn (Editoren), XML Schema Part 1: Structures Second Edition, W3C Recommendation, Oktober 2004. http://www.w3.org/TR/xmlschema-1/

  29. E. Christensen, F. Curbera, G. Meredith, S. Weerawarana, Web Services Description Language (WSDL) 1.1, W3C Note, März 2001. http://www.w3.org/TR/wsdl

  30. N. Gruschka, N. Luttenberger, Protecting Web Services from DoS Attacks by SOAP Message Validation, International Information Security Conference (SEC 2006), 2006

  31. S. Gajek, M. Jensen, L. Liao, J. Schwenk, Analysis of Signature Wrapping Attacks and Countermeasures. IEEE ICWS 2009, Los Angeles, CA, USA

  32. Thomas Kunz, Ulrich Pordesch, Andreas U. Schmidt: Das Präsenta tionsproblem der XML-Signatur und seine Lösung durch Profiles, DuD 12/2001, S. 740–745.

  33. D. Fox: Zu einem prinzipiellen Pro blem digitaler Signaturen, DuD 7/1998, S. 386–389.

Download references

Author information

Authors and Affiliations

  1. NEC Laboratories Europe, Heidelberg, Germany

    Nils Gruschka & Luigi Lo Iacono

  2. Ruhr-Universität Bochum, Bochum, Germany

    Meiko Jensen & Jörg Schwenk

Authors
  1. Nils Gruschka
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Meiko Jensen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Luigi Lo Iacono
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jörg Schwenk
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nils Gruschka.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Gruschka, N., Jensen, M., Iacono, L.L. et al. XML Signature Wrapping Angriffe. DuD 33, 553–560 (2009). https://doi.org/10.1007/s11623-009-0142-z

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11623-009-0142-z

Search

Navigation