tags:

views:

90

answers:

2
+1  Q: 

What to sign when signing a message with ws-security

I am adding security to my web service and chose to sign the Timestamp and Token.

While reading docs I found a lot of examples where they sign the Body of the SOAP message.

My question is: what is best to sign?

From what I understand signing the Body could lead to performance issues if the Body is pretty large.

Thanks.

+2  A: 

You should definitely sign the whole message body.

XMLDSIG is performed on the digests of referenced parts defined in <SignedInfo>. Running a hash algorithm like SHA1 through a large body takes very little time compared with the PKI operations. You shouldn't worry about performance.

ZZ Coder  2010-05-25 23:25:56
What's the problem signing only the timestamp?
Alexandru Luchian  2010-05-26 13:39:36
Signing timestamp only limits the window of replay attack. Other parts of the message can still be changed without detection. Also, it's actually harder to sign just part of the message.
ZZ Coder  2010-05-26 14:57:30
It's also an unfortunate limitation of the library that if you pick and chose what the signature covers, there's no query mechanism available to allow you to retrieve only that part of the document. Cherry-picking is a very, very deep rabbit hole, and it's dark and cold down here.
Jason  2010-05-26 19:08:04
Got it, thanks.But if the communication is over HTTPS, the probability of tampering is pretty small, isn't it?
Alexandru Luchian  2010-05-27 13:32:43
Signing solves a different problem. HTTPS does prevent MITM (Men In The Middle) attack. What happens if someone just tinkers the message and make HTTPS call to you? You have to use 2-way SSL to get the benefit of signing.
ZZ Coder  2010-05-27 14:35:50
@ZZ Coder can you please comment on the other answer? Thanks.
Alexandru Luchian  2010-05-27 17:44:16
A: 

If a client sends a WS-Secure SOAP request to the server over HTTPS my understanding is that even if someone sniffed the traffic they cannot decrypt it to look at the SOAP message and therefore cannot tinker with it. So I don't see the need for two-way SSL.

When using WS-Secure over HTTPS can we not let the HTTPS take care of encryption and simply use WS-Secure for authentication (ie signing some part of the SOAP message either timestamp or body or something else) ?

sudr  2010-05-27 15:00:02
You make assumption that attacker is in the middle but that's not the case for most SOAP messages. Anyone can send tampered messages to you over HTTPS. Without 2-way SSL, you have no way to prove the message is originated from a trusted party.
ZZ Coder  2010-05-27 19:37:53
@ZZ Coder, but I sign the message with my private key and then the server decrypts with my public key so it will know it came from me (If I sign the whole body not just the timestamp), isn't that right?
Alexandru Luchian  2010-05-27 20:02:04

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?