Uploaded image for project: 'OASIS ebXML Messaging Services TC'
  1. OASIS ebXML Messaging Services TC
  2. EBXMLMSG-122

Encrypting ds:Signature or at least ds:SignedInfo



    • Type: Bug
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: AS4 Profile, Core Spec
    • Labels:



      I'm working on an AS4 profile with advanced security.  We're getting advice from a cryptography professor who has made some comments on combining signing and encryption.

      ebMS3 section 7.6 states:

      "When both signature and encryption are required of the MSH, the message MUST be signed prior to being encrypted."

      AS4 section 5.1.6 (a) states:

      "If an AS4 user message is to be encrypted, AS4 MSH implementations MUST encrypt ALL payload parts. However, AS4 MSH implementations SHALL NOT encrypt the eb:Messaging header. If confidentiality of data in the eb:Messaging header is required, implementations SHOULD use transport level security. "

      The question is:  can any SOAP headers other than eb:Messaging be encrypted, or is the above statement  in AS4 exhaustive:  other than payload parts, nothing must be encrypted.

      The example in ebMS3 section 7.9 contains an unencrypted  ds:Signature.  But this could just be an underspecified aspect. 

      With structures like the 7.9 example, this means that the ds:DigestValue of the signed parts are in clear text. The expert can think of the following attack: Imagine you encrypt an XML string consisting of a known structure with a 4 digit secret number. Since the signature is transmitted in plain and the hash values are visible, the attacker can just iterate over all 4 digit combinations, recompute the hashes, and finally find the secret number based on the hash value. This attack scales depending on how many bytes are secret.

      With tools like Apache CXF and signAndEnc,  it is possible to encrypt also the ds:Signature/ds:SignedInfo at encryption phase and and it works OK for sending and receiving.  The signature is encrypted.. and then decrypted before signature validation"

      Our questions:   

      1)  is encryption of parts of the ds:Signature allowed with ebMS3 or AS4?

      2) is it an underspecified aspect that can be legitimately considered a profiling issues?

      3)  do you expect any interoperability issues?  Would a receiver of a message in which parts of ds:Signature are encrypted reject the message, or would it normally speaking just work?






            • Assignee:
              pvde Pim van der Eijk
            • Watchers:
              1 Start watching this issue


              • Created: