XSpRES was a project running from 2010-2011 and was funded by Germany’s Federal Office for Information Security. It was partnered between FH Cologne and Ruhr University Bochum. The original website is no longer available. The project’s funded my following papers:
XML Encryption and XML Signature are fundamental security standards forming the core for many applications which require to process XML-based data. Due to the increased usage of XML in distributed systems and platforms such as in SOA and Cloud settings, the demand for robust and effective security mechanisms increased as well. Recent research work discovered, however, substantial vulnerabilities in these standards as well as in the vast majority of the available implementations. Amongst them, the so-called XML Signature Wrapping attack belongs to the most relevant ones. With the many possible instances of this attack type, it is feasible to annul security systems relying on XML Signature and to gain access to protected resources as has been successfully demonstrated lately for various Cloud infrastructures and services. This paper contributes a comprehensive approach to robust and effective XML Signatures for SOAP-based Web Services. An architecture is proposed, which integrates the required enhancements to ensure a fail-safe and robust signature generation and verification. Following this architecture, a hardened XML Signature library has been implemented. The obtained evaluation results show that the developed concept and library provide the targeted robustness against all kinds of known XML Signature Wrapping attacks. Furthermore the empirical results underline, that these security merits are obtained at low efficiency and performance costs as well as remain compliant with the underlying standards.
@inproceedings{mainkaPenetrationTestingTool2012,title={Penetration Testing Tool for Web Services Security},booktitle={World Congress on Services ({{SERVICES}})},author={Mainka, Christian and Somorovsky, Juraj and Schwenk, Jörg},date={2012-06},location={Honolulu, HI, USA},doi={10.1109/services.2012.7},url={https://dl.acm.org/doi/10.1109/SERVICES.2012.7},eventtitle={{{SERVICES}}},month=jun}
CLOSER
XSpRES: Robust and Effective XML Signatures for Web Services
Christian Mainka, Meiko Jensen, Luigi Lo Iacono, and Jörg Schwenk
In International Conference on Cloud Computing and Services Science (CLOSER), Porto, Portugal, accepted papers: 15/145 = 10%, Apr 2012
XML Encryption and XML Signature are fundamental security standards forming the core for many applications which require to process XML-based data. Due to the increased usage of XML in distributed systems and platforms such as in SOA and Cloud settings, the demand for robust and effective security mechanisms increased as well. Recent research work discovered, however, substantial vulnerabilities in these standards as well as in the vast majority of the available implementations. Amongst them, the so-called XML Signature Wrapping attack belongs to the most relevant ones. With the many possible instances of this attack type, it is feasible to annul security systems relying on XML Signature and to gain access to protected resources as has been successfully demonstrated lately for various Cloud infrastructures and services. This paper contributes a comprehensive approach to robust and effective XML Signatures for SOAP-based Web Services. An architecture is proposed, which integrates the required enhancements to ensure a fail-safe and robust signature generation and verification. Following this architecture, a hardened XML Signature library has been implemented. The obtained evaluation results show that the developed concept and library provide the targeted robustness against all kinds of known XML Signature Wrapping attacks. Furthermore the empirical results underline, that these security merits are obtained at low efficiency and performance costs as well as remain compliant with the underlying standards.
@inproceedings{mainkaXSpRESRobustEffective2012a,title={{{XSpRES}}: {{Robust}} and {{Effective XML Signatures}} for {{Web Services}}},booktitle={International Conference on Cloud Computing and Services Science ({{CLOSER}})},author={Mainka, Christian and Jensen, Meiko and Iacono, Luigi Lo and Schwenk, Jörg},date={2012-04},pages={187--197},location={Porto, Portugal},url={https://www.researchgate.net/publication/267407051_XSpRES_Robust_and_effective_XML_signatures_for_Web_Services},eventtitle={{{CLOSER}}},month=apr}