Are XML Signatures secure?

Discussion in 'ASP .Net Security' started by ~~~ .NET Ed ~~~, Sep 23, 2007.

  1. I was planning to deploy my control using a digitally signed XML signature
    but when I come to think of it nothing prevents a savvy user from taking the
    XML file, stripping the Digital signature, altering the XML document and
    signing it again with his/her own key.

    Am I right? or am I missing something?
    ~~~ .NET Ed ~~~, Sep 23, 2007
    #1
    1. Advertising

  2. Hello!
    You wrote on Sun, 23 Sep 2007 14:26:54 +0200:

    NE> I was planning to deploy my control using a digitally signed XML
    NE> signature but when I come to think of it nothing prevents a savvy user
    NE> from taking the XML file, stripping the Digital signature, altering the
    NE> XML document and signing it again with his/her own key.
    NE> Am I right? or am I missing something?

    The idea of signatures is that they are the evidence of the document origin
    and document integrity. In other words, the signature can say that the
    document was signed by certain signer and since signing the document has not
    beem modified. The signature doesn't prevent altering the data (in generic
    case).

    So when you are talking about signatures, you need to define, what exactly
    you want to do. If you want to ensure that the component / control can't be
    cracked, then the signature won't work for you.

    If you want to ensure that the component was not modified by the evil
    hacker, trying to inject his code into the end-user's system, then the
    end-user must check and ensure that the signature is *yours* (and not the
    one of the evil hacker).

    Validating the signatures is possible when X.509 certificates are employed
    and included into the signature. If you use plain RSA or DSA key for
    signing, then the end user must have your public key in order to validate
    the signature and ensure that it's yours.

    With best regards,
    Eugene Mayevski
    http://www.SecureBlackbox.com - the comprehensive component suite for
    network security
    Eugene Mayevski, Sep 23, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. A.M
    Replies:
    5
    Views:
    5,425
    Teemu Keiski
    Jun 8, 2004
  2. Daniel Malcolm
    Replies:
    0
    Views:
    548
    Daniel Malcolm
    Jan 24, 2005
  3. zdrakec
    Replies:
    1
    Views:
    430
    zdrakec
    Jul 25, 2005
  4. Rolando Abarca

    XML signatures, anyone?

    Rolando Abarca, Apr 9, 2008, in forum: Ruby
    Replies:
    0
    Views:
    113
    Rolando Abarca
    Apr 9, 2008
  5. Matija Papec

    xml signatures

    Matija Papec, Aug 17, 2004, in forum: Perl Misc
    Replies:
    0
    Views:
    90
    Matija Papec
    Aug 17, 2004
Loading...

Share This Page