Re: Are XML Signatures secure?
- From: "Eugene Mayevski" <mayevski@xxxxxxxxx>
- Date: Sun, 23 Sep 2007 16:00:52 +0300
Hello!
You wrote on Sun, 23 Sep 2007 14:26:54 +0200:
NE> I was planning to deploy my control using a digitally signed XML
NE> signature but when I come to think of it nothing prevents a savvy user
NE> from taking the XML file, stripping the Digital signature, altering the
NE> XML document and signing it again with his/her own key.
NE> Am I right? or am I missing something?
The idea of signatures is that they are the evidence of the document origin and document integrity. In other words, the signature can say that the document was signed by certain signer and since signing the document has not beem modified. The signature doesn't prevent altering the data (in generic case).
So when you are talking about signatures, you need to define, what exactly you want to do. If you want to ensure that the component / control can't be cracked, then the signature won't work for you.
If you want to ensure that the component was not modified by the evil hacker, trying to inject his code into the end-user's system, then the end-user must check and ensure that the signature is *yours* (and not the one of the evil hacker).
Validating the signatures is possible when X.509 certificates are employed and included into the signature. If you use plain RSA or DSA key for signing, then the end user must have your public key in order to validate the signature and ensure that it's yours.
With best regards,
Eugene Mayevski
http://www.SecureBlackbox.com - the comprehensive component suite for network security
.
- References:
- Are XML Signatures secure?
- From: ~~~ .NET Ed ~~~
- Are XML Signatures secure?
- Prev by Date: Are XML Signatures secure?
- Next by Date: The pest of Impersonation
- Previous by thread: Are XML Signatures secure?
- Next by thread: The pest of Impersonation
- Index(es):
Relevant Pages
|
|
