1 / 54

Security – XML Signature

Security – XML Signature. Outline. Preliminaries Digital Signature SOAP XML signature Wrapping Attack XML Namespace Injection Attack. Digital Signature. The Usage of Digital Signature Authentication

jericho
Download Presentation

Security – XML Signature

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security – XML Signature

  2. Outline • Preliminaries • Digital Signature • SOAP • XML signature • Wrapping Attack • XML Namespace Injection Attack

  3. Digital Signature • The Usage of Digital Signature • Authentication • The private key is bounded to the user, a valid signature shows that the message was sent by that user • Integrity • If a message is digitally signed, any change in the message after signature will invalidate the signature

  4. Digital Signature Scheme • Definition • A digital signature scheme includes a triple of algorithms (G, , V) • Key generation algorithm G: produces pairs (P, S) where P is called a public key and S a private key. • Signing algorithm : given a private key S and a message m, produces as output string s which call the signature of m. • Verification algorithm V: given a public key P, a digital signature s, and a message m, returns 1 (digital signature is valid) or 0 (digital signature is invalid) to indicate whether or not the signature is valid. • Security • It is infeasible to forge a valid digital signature without knowing the private key • Details are omitted here …

  5. Digital Signature Scheme • Construction Primitives • Cryptographic Hash Function • Public Key Encryption Scheme

  6. Cryptographic Hash Functions • Definition • Deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string • Properties • Easy to compute the hash value for any given message • Infeasible to find a message that has a given hash • Infeasible to modify a message without changing its hash • Infeasible to find two different messages with the same hash. • Example – SHA-1 • Produces a 160-bit digest from a message with a maximum length of (264 − 1) bits

  7. Public Key Encryption Scheme • Definition (Not Rigorous) • A triple (G, E, D) algorithms satisfying the following conditions • Key generation algorithm G: produces a pair (e, d) where e is called the public key, and d is the corresponding private key. • Encryption algorithm E: takes as input public key e, string m called the plain text, and produces as output string c called the cipher text. • Decryption algorithm D: takes as inputs private key d, and a cipher text c, and produces as output a string m’ • Correctness • For every pair (e, d), for every m, D(E(m, e), d) = m. • Security • Complex and omitted here …

  8. Public Key Encryption Scheme • Example – RSA • Key generation algorithm G • Choose n = p·q where p and q are two large prime numbers • Select e such that gcd(e, (n)) = 1 where (n) = (p1)·(q1) • Compute d such that c·d  1 (mod (n)) by Chinese Remainder Theorem • (e, n) is the public key and (d, n) is the private key • Encryption algorithm E • For plain text m, E(m, (e, n)) = me mod n • Decryption algorithm D • For cipher text c, D(c, (d, n)) = cd mod n • Correctness • (me)d mod n = m mod n

  9. Digital Signature Scheme • Example – The RSA Digital Signature Scheme • Key generation algorithm G: produces pairs ((e, n), (d, n)) where n is the product of two large primes, and e is relatively prime to (n), and d satisfies e·d = 1 mod (n). • Signing algorithm : given (d, n) and m, compute (m) = H(m)d mod n. • H is a cryptographic hash function, e.g. SHA-1 • Verifying algorithm V: given (e, n), (m), and m, compute (m)e mod n and H(m) mod n. • Returns 1 if (m)e mod n = H(m) mod n. • Returns 0 if (m)e mod n  H(m) mod n. • Correctness: (m)e mod n = (H(m)d)e mod n = H(m) mod n.

  10. Digital Signature Scheme • Implementation – Create Public Key Certificate • Public Key Certificate • Issued by certificate authority (CA) • Binding together a public key with an identity

  11. Public Key Certificate • Typical Contents • Serial Number: Used to uniquely identify the certificate. • Subject: The person, or entity identified. • Signature Algorithm: The algorithm used to create the signature. • Issuer: The entity that verified the information and issued the certificate. • Valid-From: The date the certificate is first valid from. • Valid-To: The expiration date. • Key-Usage: Purpose of the public key. • Public Key: The public key to encrypt a message to the named subject or to verify a signature from the named subject. • Thumbprint Algorithm: The algorithm used to hash the certificate. • Thumbprint: The hash itself to ensure that the certificate has not been tampered with.

  12. Outline • Preliminaries • Digital Signature • SOAP • XML signature • Wrapping Attack • XML Namespace Injection Attack

  13. SOAP • SOAP • Defines an XML syntax and processing rules facilitating the exchange of SOAP messages • Message flow from an originator to an ultimate receiver containing zero or more intermediary SOAP nodes

  14. SOAP Message • SOAP Message • Consists of soap:Envelop • soap:Envelop • Contains a soap:Header element (optional) • Contains a soap:Body element

  15. soap:Header Element • soap:Header Element • May contain a set of child elements • Describe message processing that the sender expects a recipient to perform • Each child element may contain an actor or role attribute • Indicates which receiving SOAP node is expected to perform the described processing • Intermediary SOAP nodes may add, remove and modify individual element children of the soap:Header element • Each child element may contain a soap:mustUnderstand attribute • Indicates whether a SOAP node should generate a fault if a message is received containing an element that is target at that node but for which no processing is defined

  16. Web Services Security • Web Services Security • Defines the syntax and processing rules associated with the wsse:Security element • wsse:Security Element • is a child of soap:Header element • May include XML Signature elements, SML Encryption element, Timestamps, and Security Tokens

  17. Example of SOAP Message soap:Envelope element soap:Body element soap:Header element wsse:Security element ds:Signature element

  18. Outline • Preliminaries • Digital Signature • SOAP • XML signature • Wrapping Attack • XML Namespace Injection Attack

  19. XML Namespaces • Namespace Binding • xmlns=“uri” • Make XML element names globally unique • Namespace Prefix • xmlns:prefix=“uri” • Binds the prefix to the given namespace uri for the whole subtree of this element

  20. XML Namespaces Example uri prefix

  21. XML Signature • XML Signature • Defines an XML syntax and processing rules for signing and verifying digital signatures over one or more data objects • Properties • Use a set of indirect references to each singed data object, allowing for the signing of several potentially noncontiguous and/or overlapping data objects • Advantage: signed XML elements along with the associated signature may be copied from one document into another while retaining the ability to verify the signature • Useful in scenarios where multiple actors process and potentially transform a document throughout a business process • Disadvantage: it can be exploited by an adversary allowing the undetected modification of documents

  22. XML Signature Data Structure

  23. XML Signature • Generating Steps • The resource is transformed (if necessary), and canonicalized • The digest value of the resulting data object is calculated and stored in DigestValue • The signature is calculated over the canonicalized SignedInfo and stored in SignatureValue • Validating Steps • First generate and verify the digest value • Then verify the signature value • Validation successes if and only if the digest value and the signature value are valid

  24. XML Signature – Canonicalization • Purpose • A set of operations performed on the XML contents prior to signature application or verification • For example: hide irrelevant character-level modifications of the XML document • Two Different Canonicalizations • Inclusive Canonicalization • Exclusive Canonicalization

  25. Property of Inclusive Canonicalization • Inclusive Canonicalization • Leaving all namespace declarations within the signed subtree in place • Including all namespace declarations that were specified outside the signed subtree but also cover the signed subtree be included in the signed subtree’s root element • Effect • Lead to severe interoperability issues • Every addition of namespace declarations e.g. at a SOAP Envelope element lead to invalidation of every XML signature within that message

  26. Property of Exclusive Canonicalization • Exclusive Canonicalization • “visibly utilized” namespace: the set of all namespaces that have at least one element or attribute from that namespace occurring within the signed contents • If a namespace is visibly utilized, its namespace declaration – regardless of its position within the signed subtree – is kept in place • If that namespace happened to be declared outside of the signed subtree, its declaration is moved to the first element that visibly utilizes it

  27. Inclusive and Exclusive Canonicalizations • Application Situations • WS-Security prefers the use of Exc-C14N • WS-I Basic Security Profile explicitly disallows the use of Inc-C14N • (Although Exc-C14N is more flexible, it has severe security risk, will see later)

  28. XML Signature - Referencing • ID-based referencing • “#x” implies that the element with an ID attribute of value x is targeted • Use “ ” to reference a document’s root element • XPath Tranforms • Evaluation of a potentially-complex expression against every node in the input set, which has proved costly in practice. • XPath Filter 2 Transform • Based on the set operations , , and \ • Does not provide any increased capability over the original XPath transform • Implemented more efficiently: requires evaluation of simple XPath expressions and then the execution of some basic set operations

  29. ID-based referencing Example

  30. XPath and XPath Filter 2 Transform Examples

  31. Outline • Preliminaries • Digital Signature • SOAP • XML signature • Wrapping Attack • XML Namespace Injection Attack

  32. Stock Quote Application • Stock Quote • Customers quote the prices of stocks • The service provider would charge consumers for the services • What’s more • The soap:Body element should be signed with XML Signature • The associated signature verification key should be provided by an certificate

  33. Example 1 Add a soap:Header element

  34. Wrapping Attack 1 – Simple Ancestry Context Indicate to the SOAP processing layer that the Wrapper element can be safely ignored

  35. Remedy Effort 1 • Refinement of the Policy • The element specified by /soap:Evelope/soap:Body must be signed using WSS with XML Signature • The associated signature verification key must be provided by a certificate issued by one of the set of trusted Certificate Authorities (CAs)

  36. Example 2 Unlike example 1, it is an optimal element context

  37. Wrapping Attack 2 – Optional Element Context The wsa:ReplyTo element has been wrapped so that the reply will sent to a incorrect location

  38. Remedy Effort 2 – Using XPath

  39. Example 3 Sign the wsu:Timestamp element

  40. Wrapping Attack 3 – Sibling Value Context The timestamp has been wrapped and will not be verified by the SOAP processing layer

  41. Enforce the ultimateReceiver to verify timestamp Remedy Effort 3

  42. Wrapping Attack 4 Add a wsse:Security element Move to here There is no timestamp in this element removed

  43. Conclusions • Wrapping Attack • Shown how to protect against certain wrapping attacks by improving the security policy • Shown how to counterfeit new security policy by a new, more sophisticated wrapping attack

  44. Outline • Preliminaries • Digital Signature • SOAP • XML signature • Wrapping Attack • XML Namespace Injection Attack

  45. XML Namespace Injection Attack – Example

  46. Example – After Canonicalized

  47. Example – Namespace Injection Attack

  48. Attack Countermeasure 1 • InclusiveNamespace • The prefix used in the XPath expression can be included in the InclusiveNamespaces element of CanaonicalizationMethod within SignedInfo • Failed • Not implemented in open libraries for XML signature, e.g. Apache XML Security and Microsoft’s .Net Framework. • For some libraries, although it is possible to specify the InclusiveNamespaces, the specified prefixes will be ignored while canonicalizing the SignedInfo.

  49. Attack Countermeasure 2 • Sepcify the prefix/namespace Pairs • Failed • Cannot be applied to the existing XPath transform and XPath Filter 2 transform

  50. Attack Countermeasure 3 • Using Prefix-free XPath Expressions • Placing the namespace uri directly into the XPath expression itself • For example: the XPath expression /soap:Envelope/soap:Body with soap mapping to ns-soap can be expressed by • Succeed • Shortcomings • Induce a serious rise in complexity of the XPath expression and the threat of misconfigurations

More Related