XML-Signature XPath Filter 2.0

Boyer, John M.; Hughes, Michael; Reagle, J.

doi:10.17487/rfc3653

Cited by 12 publications

(8 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…XPath Filter 2 allows a sequence of XPath expressions to select node sets, these sets are then combined using set intersection, subtraction, and union, according to the attribute Filter. A detailed example can be found in [8,Section 4].…”

Section: Xpath Filteringmentioning

confidence: 99%

“…This use of XPath caused a severe performance killer for applying the XPath transform in Web Services scenarios. In order to cope with this issue, XPath Filter 2 [8] has been introduced, but solely to improve usability and performance, not security. Other approaches tried to re-engineer arbitrary XPath expressions to match a certain subset of XPath, which can then be evaluated faster [12], [4], [17], but all of these pose some restrictions to the usage scenario, and none copes with the signature wrapping threat.…”

Section: Fastxpath: Structure-based Referencingmentioning

confidence: 99%

See 1 more Smart Citation

Analysis of Signature Wrapping Attacks and Countermeasures

Gajek

Jensen

Liao

et al. 2009

2009 IEEE International Conference on Web Services

View full text Add to dashboard Cite

In recent research it turned out that Boolean verification of digital signatures in the context of WSSecurity is likely to fail: If parts of a SOAP message are signed and the signature verification applied to the whole document returns true, then nevertheless the document may have been significantly altered.In this paper, we provide a detailed analysis on the possible scenarios that enable these signature wrapping attacks. Derived from this analysis, we propose a new solution that uses a subset of XPath instead of ID attributes to point to the signed subtree, and show that this solution is both efficient and secure.

show abstract

Section: Xpath Filteringmentioning

confidence: 99%

Section: Fastxpath: Structure-based Referencingmentioning

confidence: 99%

Analysis of Signature Wrapping Attacks and Countermeasures

Gajek

Jensen

Liao

et al. 2009

2009 IEEE International Conference on Web Services

View full text Add to dashboard Cite

show abstract

“…Additionally, it turned out that its formal semantics drastically differed from most user's intuitive interpretations, as they expected a different processing approach-namely specifying an XPath that is evaluated against the root of the signed subtree only, then pointing to the subtree roots or nodesets to be signed. This-more intuitive-referencing scheme was later-on adapted in the specification, resulting in the XPath Filter 2 transform [11]. This transform, which is based on foundations of the set operations ∪, ∩, and \, enabled a more intuitive referencing mechanism.…”

Section: Id Xpath and Xpath Filtermentioning

confidence: 99%

The curse of namespaces in the domain of XML signature

Jensen

Liao

Schwenk

2009

Proceedings of the 2009 ACM Workshop on Secure Web Services

View full text Add to dashboard Cite

The XML signature wrapping attack is one of the most discussed security issues of the Web Services security community during the last years. Until now, the issue has not been solved, and all countermeasure approaches proposed so far were shown to be insufficient.In this paper, we present yet another way to perform signature wrapping attacks by using the XML namespace injection technique. We show that the interplay of XML Signature, XPath, and the XML namespace concept has severe flaws that can be exploited for an attack, and that XML namespaces in general pose real troubles to digital signatures in the XML domain. Additionally, we present and discuss some new approaches in countering the proposed attack vector.

show abstract

“…XPath Transform [8] (Column 3). The main purpose of this transform is to provide a technique for computing a portion of an XML document that is to be used as input to the digest calculation process.…”

Section: Xml Signatures For Constituent Datastreams Of An Assetmentioning

confidence: 99%

A Standards-based Solution for the Accurate Transfer of Digital Assets

Bekaert

Sompel²

2005

D-Lib Magazine

View full text Add to dashboard Cite

This article describes results of a collaboration between the Research Library of the Los Alamos National Laboratory (LANL) and the American Physical Society (APS) aimed at designing and implementing a robust solution for the recurrent transfer of digital assets from the APS collection to LANL. In this solution, various recent standards are combined to obtain an asset transfer framework that should be attractive as a means to optimize content transfer in environments beyond the specific APS/LANL project. The proposed solution uses an XML-based complex object format (the MPEG-21 Digital Item Declaration Language) for the application-neutral representation of compound digital assets of all sorts. It uses a pull-oriented HTTP-based protocol (the Open Archives Initiative Protocol for Metadata Harvesting) that allows incrementally collecting new and updated assets, represented as XML documents, from a producing archive. It builds on an XML-specific technique (W3C XML Signatures) to provide guarantees regarding authenticity and accuracy of the transferred assets.

show abstract

XML-Signature XPath Filter 2.0

Abstract: XML Signature recommends a standard means for specifying information content to be digitally signed and for representing the resulting digital signatures in XML.

Cited by 12 publications

References 0 publications

Analysis of Signature Wrapping Attacks and Countermeasures

Analysis of Signature Wrapping Attacks and Countermeasures

The curse of namespaces in the domain of XML signature

A Standards-based Solution for the Accurate Transfer of Digital Assets

Contact Info

Product

Resources

About