Analysis of signature wrapping attacks and countermeasures

Sebastian Gajek*, Meiko Jensen, Lijun Liao, Jörg Schwenk

*Kontaktforfatter for dette arbejde

Publikation: Bidrag til bog/antologi/rapport/konference-proceedingKonferencebidrag i proceedingsForskningpeer review

Resumé

In recent research it turned out that Boolean verification, of digital signatures in the context of WSSecurity, is likely to fail: If parts of a SOAP message, are signed and the signature verification applied to, the whole document returns true, then nevertheless the, document may have been significantly altered., In this paper, we provide a detailed analysis on the, possible scenarios that enable these signature wrapping, attacks. Derived from this analysis, we propose, a new solution that uses a subset of XPath instead of, ID attributes to point to the signed subtree, and show, that this solution is both efficient and secure.

OriginalsprogEngelsk
Titel2009 IEEE International Conference on Web Services, ICWS 2009
Antal sider8
Publikationsdato19. nov. 2009
Sider575-582
Artikelnummer5175871
ISBN (Trykt)9780769537092
DOI
StatusUdgivet - 19. nov. 2009

Fingeraftryk

Electronic document identification systems

Citer dette

Gajek, S., Jensen, M., Liao, L., & Schwenk, J. (2009). Analysis of signature wrapping attacks and countermeasures. I 2009 IEEE International Conference on Web Services, ICWS 2009 (s. 575-582). [5175871] https://doi.org/10.1109/ICWS.2009.12
Gajek, Sebastian ; Jensen, Meiko ; Liao, Lijun ; Schwenk, Jörg. / Analysis of signature wrapping attacks and countermeasures. 2009 IEEE International Conference on Web Services, ICWS 2009. 2009. s. 575-582
@inproceedings{df10d06be4984b168ab73223f9b9ad41,
title = "Analysis of signature wrapping attacks and countermeasures",
abstract = "In recent research it turned out that Boolean verification, of digital signatures in the context of WSSecurity, is likely to fail: If parts of a SOAP message, are signed and the signature verification applied to, the whole document returns true, then nevertheless the, document may have been significantly altered., In this paper, we provide a detailed analysis on the, possible scenarios that enable these signature wrapping, attacks. Derived from this analysis, we propose, a new solution that uses a subset of XPath instead of, ID attributes to point to the signed subtree, and show, that this solution is both efficient and secure.",
author = "Sebastian Gajek and Meiko Jensen and Lijun Liao and J{\"o}rg Schwenk",
year = "2009",
month = "11",
day = "19",
doi = "10.1109/ICWS.2009.12",
language = "English",
isbn = "9780769537092",
pages = "575--582",
booktitle = "2009 IEEE International Conference on Web Services, ICWS 2009",

}

Gajek, S, Jensen, M, Liao, L & Schwenk, J 2009, Analysis of signature wrapping attacks and countermeasures. i 2009 IEEE International Conference on Web Services, ICWS 2009., 5175871, s. 575-582. https://doi.org/10.1109/ICWS.2009.12

Analysis of signature wrapping attacks and countermeasures. / Gajek, Sebastian; Jensen, Meiko; Liao, Lijun; Schwenk, Jörg.

2009 IEEE International Conference on Web Services, ICWS 2009. 2009. s. 575-582 5175871.

Publikation: Bidrag til bog/antologi/rapport/konference-proceedingKonferencebidrag i proceedingsForskningpeer review

TY - GEN

T1 - Analysis of signature wrapping attacks and countermeasures

AU - Gajek, Sebastian

AU - Jensen, Meiko

AU - Liao, Lijun

AU - Schwenk, Jörg

PY - 2009/11/19

Y1 - 2009/11/19

N2 - In recent research it turned out that Boolean verification, of digital signatures in the context of WSSecurity, is likely to fail: If parts of a SOAP message, are signed and the signature verification applied to, the whole document returns true, then nevertheless the, document may have been significantly altered., In this paper, we provide a detailed analysis on the, possible scenarios that enable these signature wrapping, attacks. Derived from this analysis, we propose, a new solution that uses a subset of XPath instead of, ID attributes to point to the signed subtree, and show, that this solution is both efficient and secure.

AB - In recent research it turned out that Boolean verification, of digital signatures in the context of WSSecurity, is likely to fail: If parts of a SOAP message, are signed and the signature verification applied to, the whole document returns true, then nevertheless the, document may have been significantly altered., In this paper, we provide a detailed analysis on the, possible scenarios that enable these signature wrapping, attacks. Derived from this analysis, we propose, a new solution that uses a subset of XPath instead of, ID attributes to point to the signed subtree, and show, that this solution is both efficient and secure.

U2 - 10.1109/ICWS.2009.12

DO - 10.1109/ICWS.2009.12

M3 - Article in proceedings

AN - SCOPUS:70449469222

SN - 9780769537092

SP - 575

EP - 582

BT - 2009 IEEE International Conference on Web Services, ICWS 2009

ER -

Gajek S, Jensen M, Liao L, Schwenk J. Analysis of signature wrapping attacks and countermeasures. I 2009 IEEE International Conference on Web Services, ICWS 2009. 2009. s. 575-582. 5175871 https://doi.org/10.1109/ICWS.2009.12