Spatial Signature Method (SSM) Against XML Signature Wrapping Attacks

Living in cyber world with revolutionizes of Industrial 4.0, most of the users and organisations prefer to sell and buy products or services via website online transaction. This online transaction is done through a messaging protocol (SOAP) and signing entire SOAP (SESOAP) using Extensible Markup Language (XML). XML is implemented to secure the SOAP contents by applying the signing method called as XML Digital signature. However, the XML digital signature has issues related to XML signature wrapping (XSW) attacks specifically on Sibling Value Context and Sibling Order Context attacks. Therefore, this paper proposes an enhanced method called as Spatial Signature Method (SSM) which aims to resolve the limitation of SESOAP from the aspect of XSW attacks. It proposes new parameters for XML digital signature inspired by the concept of ratio and space in biotechnology to detect the XSW attacks. The experiment was conducted in a controlled lab by using the Ubuntu Linux system and PHP programming. Based on the comparison made with SESOAP and ID Referencing method (IDR), SSM has proven to defend against the XSW attacks. For the future work, the spatial signature method can be forged with more extensive spatial information for the digital signature and to integrate it with web services.

Improving the Authentication Mechanism of Business to Consumer (B2C) Platform in a Cloud Computing Environment: Preliminary Findings

The reliance of e-commerce infrastructure on cloud computing environment has undoubtedly increased the security challenges in web-based e-commerce portals. This has necessitated the need for a built-in security feature, essentially to improve the authentication mechanism, during the execution of its dependent transactions. Comparative analysis of the existing works and studies on XML-based authentication and non-XML signaturebased security mechanisms for authentication in Business to Consumer (B2C) e-commerce showed the advantage of using XML-based authentication, and its inherent weaknesses and limitations. It is against this background that this study, based on review and meta-analysis of previous works, proposes an improved XML digital signature with RSA algorithm, as a novel algorithmic framework that improves the authentication strength of XML digital signature in the B2C e-commerce in a cloud-based environment. Our future works include testing and validation, and simulation, of the proposed authentication framework in Cisco’s XML Management Interface with inbuilt feature of NETCONF. The evaluation will be done in conformity to international standard and guideline –such as W3C and NIST.

XML Signatures and Encryption

Many XML uses today need security, particularly in terms of authentication and confidentiality. Consider commercial transactions. It should be clear why purchase orders, payments, delivery receipts, contracts, and the like need authentication. In many cases, particularly when the transaction involves multiple parties, different parts of a message need different kinds of authentication for different recipients. For example, the payment portion of an order from a customer to a merchant could be extracted and sent to a payment clearing system and then to the customer's bank. Likewise, court filings, press releases, and even personal messages need authentication as a protection against forgery. XML Digital Signature, which provides authentication is a full Recommendation in the W3C and a Draft Standard in the IETF. XML Encryption which provides confidentiality, and Exclusive XML Canonicalization are W3C Candidate Recommendations.

XML Digital Signature Application in Network Test System

This paper describes the concept of XML digital signatures, analyzes the digital signature and the signature verification process, describes the W3C digital signature specification, and studies how to ensure data security in network exam in C #.NET environment. Experiments show that: XML digital signature in network test system ensures the integrity of network data transmission, the identity of verifiability and non-repudiation.