Signing messages

From: Martin Kulov (kulov_at_bezbokluk.abv.bg)
Date: 12/01/04

Next message: nealboy: "why does WSE fail in trusting certificate chain?"
Previous message: Martin Kulov: "SecurityFault Class"
Next in thread: Dilip Krishnan: "Re: Signing messages"
Reply: Dilip Krishnan: "Re: Signing messages"
Messages sorted by: [ date ] [ thread ]

Date: Wed, 01 Dec 2004 04:52:39 -0800

So, message signatures are described in Signature\SignedInfo element.

And I am using WSE 2.0 SP2 Prerelease.

For example:

<SignedInfo>
  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
  <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" />
  <Reference URI="#Id-9f6237be-83f3-4bb7-8e53-56c2a032b745">
    <Transforms>
      <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
    <DigestValue>ctf3qbSQt6hofrMjIrvsIaO1AaI=</DigestValue>
  </Reference>
..
  <SignatureValue>j7yVNKUvzh01hELvQk0fRFsxj+M=</ SignatureValue>
..
</SignedInfo>

The receiver uses the canonicalization and digest methods to calculate reference digest. Is that correct?

My questions are:

Why do you need to have DigestValue in the envelope when the receiver can calculate it by himself using the canonicalization and digest methods?

What is this Transforms element for? I have not seen any description on it yet.

What is the difference between Canonicalization and Transform algorithm?

The SignatureValue contains signature based on all digest values. How it combines all digest in one value in order to sign that value the public key of the receiver? Using Canonicalization method may be?

What if an intermediate decides to change a header value that is signed? Then the whole signature value will be modified. Does not this break the security in some way? Is the signature gets recreated automatically when a part that is signed gets modified?

I just saw that Reference element is marked as obsolete. What is going to replace it?

Martin Kulov
www.codeattest.com

Next message: nealboy: "why does WSE fail in trusting certificate chain?"
Previous message: Martin Kulov: "SecurityFault Class"
Next in thread: Dilip Krishnan: "Re: Signing messages"
Reply: Dilip Krishnan: "Re: Signing messages"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Support for XPath Filter 2.0 Transform? (Xml Digital Signatures)
... I am working with Adobe LiveCycle Designer 8.1 to create forms that the user ... verifying digital signatures, but I have run into an issue that I'm hoping ... Adobe's XML Digital Signatures seem to use the ... an XML element containing a Transform with the Algorithm ID ...
(microsoft.public.dotnet.security)
Re: kmod-nvidia not working in kernel-2.6.17-1.2139_FC5
... I think you can make it work with the digest version if you set it to ... send you the mime digest. ... Evo uses PGP/MIME for signatures by default. ... if there is any way to change it to inline signatures or not. ...
(Fedora)
XPath Filter 2.0 Support? (XML Digital Signatures)
... I am working with Adobe LiveCycle Designer 8.1 to create forms that the user ... verifying digital signatures, but I have run into an issue that I'm hoping ... Adobe's XML Digital Signatures seem to use the ... an XML element containing a Transform with the Algorithm ID ...
(microsoft.public.dotnet.framework.aspnet.security)