Applying Sanitizable Signature to Web-Service-Enabled Business Processes: Going Beyond Integrity Protection

Author

Kar Way TAN, Singapore Management UniversityFollow
Robert H. DENG, Singapore Management UniversityFollow

Publication Type

Conference Proceeding Article

Version

submittedVersion

Publication Date

6-2009

Abstract

This paper studies the scenario where data in business documents is aggregated by different entities via the use of web services in streamlined business processes. The documents are transported within the Simple Object Access Protocol (SOAP) messages and travel through multiple intermediary entities, each potentially makes changes to the data in the documents. The WS-Security provides integrity protection by allowing portions of a SOAP message to be signed using eXtensible Markup Language (XML) signature scheme. This method however, has not considered the situation where a portion of data may be modified by another entity, therefore a need to allow the originating system to control which intermediary entity is authorized to change which portion of the data. The XML signature scheme also does not provide the final recipient the trust for the intermediary entity that makes the changes. In our paper, we study the security requirements for a streamlined business process, and proposes a novel scheme using sanitizable signature on SOAP messages to complement the XML signature to address not only integrity protection but also control of change as well as establishment of trust for intermediary entities. We show how the proposed scheme can be incorporated into the existing standards and be customizable to achieve flexible use of both the vanilla and sanitizable signatures as required in a business scenario. With the proposed technique, IT systems can be more loosely coupled and reap the benefits of distributed systems, such as delegation of work and encapsulation of business logic.

Keywords

Web services, integrity protection, SOAP message security, XML signature

Discipline

Information Security

Publication

ICWS 2009: IEEE 7th International Conference on Web Services, Los Angeles, CA, 6-10 July: Proceedings

First Page

67

Last Page

74

ISBN

9780769537092

Identifier

10.1109/ICWS.2009.34

Publisher

IEEE Computer Society

City or Country

Los Alamitos, CA

Citation

TAN, Kar Way and DENG, Robert H.. Applying Sanitizable Signature to Web-Service-Enabled Business Processes: Going Beyond Integrity Protection. (2009). ICWS 2009: IEEE 7th International Conference on Web Services, Los Angeles, CA, 6-10 July: Proceedings. 67-74.
Available at: https://ink.library.smu.edu.sg/sis_research/463

Copyright Owner and License

Authors

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

http://doi.ieeecomputersociety.org/10.1109/ICWS.2009.34