Abstract
XML Signature Wrapping (XSW) has been a relevant threat to web services for 15 years until today. Using the Personal Health Record (PHR), which is currently under development in Germany, we investigate a current SOAP-based web services system as a case study. In doing so, we highlight several deficiencies in defending against XSW. Using this real-world contemporary example as motivation, we introduce a guideline for more secure XML signature processing that provides practitioners with easier access to the effective countermeasures identified in the current state of research.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Because of the reduced functionality, FastXPath is also more performant.
- 2.
CVE-2020-5407, CVE-2020-5390, CVE-2020-13415, CVE-2018-18689, CVE-2017-10669, CVE-2017-1000452, CVE-2016-5697, CVE-2015-3932, CVE-2015-3931, CVE-2012-6426, CVE-2012-4418, CVE-2011-1411, CVE-2011-0730.
References
Bray, T., Paoli, J., Sperberg-McQueen, M., Maler, E., Yergeau, F.: Extensible Markup Language (XML) 1.0 (Fifth Edition). Recommendation, W3C, November 2008
Eastlake, D., Reagle, J., Hirsch, F., Roessler, T.: XML Encryption Syntax and Processing Version 1.1. Recommendation, W3C, April 2013
Eastlake, D., et al.: XML Signature Syntax and Processing Version 1.1. Recommendation, W3C, April 2013
Gajek, S., Jensen, M., Liao, L., Schwenk, J.: Analysis of signature wrapping attacks and countermeasures. In: ICWS 2019. IEEE, July 2009
Gajek, S., Liao, L., Schwenk, J.: Breaking and fixing the inline approach. In: SWS 2007. ACM (2007)
gematik GmbH: Systemspezifisches Konzept ePA (2019), revision 166371
gematik GmbH: Spezifikation Authentisierung des Versicherten ePA (2020), revision 244633
gematik GmbH: Spezifikation ePA-Aktensystem (2020), revision 245464
gematik GmbH: epa - elektronische patientenakte (2019). https://www.gematik.de/fileadmin/user_upload/gematik/files/Faktenblaetter/Faktenblatt_ePA_web.pdf
gematik GmbH: API Telematik, June 2020. https://fachportal.gematik.de/downloadcenter/schemata-wsdl-und-andere-dateien
Gruschka, N., Lo Iacono, L.: Vulnerable cloud: SOAP message security validation revisited. In: ICWS 2009. IEEE (2009)
Gruschka, N., Luttenberger, N.: Protecting web services from DoS attacks by SOAP message validation. In: Fischer-Hübner, S., Rannenberg, K., Yngström, L., Lindskog, S. (eds.) SEC 2006. IIFIP, vol. 201, pp. 171–182. Springer, Boston, MA (2006). https://doi.org/10.1007/0-387-33406-8_15
Gruschka, N., Luttenberger, N., Herkenhöner, R.: Event-based soap message validation for WS-securitypolicy-enriched web services. In: SWWS 2016 (2006)
Hill, B.: Complexity as enemy of security (2007). https://www.w3.org/2007/xmlsec/ws/papers/04-hill-isecpartners/
Jensen, M., Gruschka, N., Herkenhoner, R., Luttenberger, N.: Soa and web services: new technologies, new standards - new attacks. In: ECOWS 2007 (2007)
Jensen, M., Gruschka, N.: A survey of attacks in the web services world. In: Electronic Services: Concepts, Methodologies, Tools and Applications (2010)
Jensen, M., Liao, L., Schwenk, J.: The curse of namespaces in the domain of XML signature. In: SWS 2009. ACM (2009)
Jensen, M., Meyer, C., Somorovsky, J., Schwenk, J.: On the effectiveness of XML schema validation for countering XML signature wrapping attacks. In: IWSSC 2011 (2011)
Jensen, M., Schwenk, J., Bohli, J.M., Gruschka, N., Lo Iacono, L.: Security prospects through cloud computing by adopting multiple clouds. In: CLOUD 2011 (2011)
Jensen, M., Schwenk, J., Gruschka, N., Iacono, L.L.: On technical security issues in cloud computing. In: IEEE International Conference on Cloud Computing (2009)
Mainka, C., Jensen, M., Lo Iacono, L., Schwenk, J.: XSpRES - robust and effective XML signatures for web services. In: CLOSER 2012. SciTePress (2012)
McIntosh, M., Austel, P.: XML signature element wrapping attacks and countermeasures. In: SWS 2005. Association for Computing Machinery (2005)
MITRE: Cwe-345: Insufficient verification of data authenticity (2006)
MITRE: Cwe-347: Improper verification of cryptographic signature (2006)
OASIS: Web services security: Soap message security 1.1 (2004)
Robie, J., Dyck, M., Spiegel, J.: XML Path Language (XPath) 3.1. Recommendation, W3C, March 2017
Slany, D.W.: Sicherheitsanalyse zur Sicherheit der kritischen Komponenten der elektronischen Patientenakte nach §291a SGB V, March 2020
Somorovsky, J., Heiderich, M., Jensen, M., Schwenk, J., Gruschka, N., Lo Iacono, L.: All your clouds are belong to us. In: CCSW 2011 (2011)
Somorovsky, J., Mayer, A., Schwenk, J., Kampmann, M., Jensen, M.: On breaking SAML: be whoever you want to be. In: USENIX Security 2012, August 2012
W3C: SOAP 1.2-Schema (2007)
Acknowledgement
We would like to thank our reviewers and Stephan Wiefling for their time and effort to give constructive feedback and thoughtful comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 IFIP International Federation for Information Processing
About this paper
Cite this paper
Höller, P., Krumeich, A., Lo Iacono, L. (2021). XML Signature Wrapping Still Considered Harmful: A Case Study on the Personal Health Record in Germany. In: Jøsang, A., Futcher, L., Hagen, J. (eds) ICT Systems Security and Privacy Protection. SEC 2021. IFIP Advances in Information and Communication Technology, vol 625. Springer, Cham. https://doi.org/10.1007/978-3-030-78120-0_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-78120-0_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-78119-4
Online ISBN: 978-3-030-78120-0
eBook Packages: Computer ScienceComputer Science (R0)
