A Taxonomy of Attacks against XML Digital Signatures & Encryption
Brad Hill – iSEC Partners firstname.lastname@example.org
Supplementary Material for Attacking XML Security, available at:
This document is an enumeration and taxonomy of currently known attacks and evasions against the W3C
Recommendation for XML-Signature Syntax and Processing (Bartel „02). It is best understood as
supplemental material to the presentation noted above and in concert with the additional reference material in
the bibliography. This compact summary is intended to aid the experienced security professional in
evaluating technologies implementing or utilizing XML Digital Signatures and XML Encryption.
A note on order of operations and attack surface:
XML Digital Signatures are indirected signatures. To construct a signature, the content to be signed is
canonicalized, digested, and metadata about the content (its location, the digest and canonicalization method)
is saved as XML. This XML metadata is then itself canonicalized, digested, and the digest of the metadata is
signed to produce the final signature. Key information may optionally be packaged with the signature.
The order of operations for signature validation, while unimportant from a cryptographic standpoint, can
have a significant impact on whether many of the attacks detailed here are available to anonymous
adversaries, or if the attack surface can be authenticated.
The first operation of signature validation should be key resolution. Optimally, any KeyInfo attached to the
signature can be discarded, and the proper key inferred from context and provided directly by the caller. If
the KeyInfo must be resolved from the signature, this resolution must be a distinct step so a trust decision in
the key can be made before proceeding.
The next operation is to verify the signature by canonicalizing and digesting the signed info metada