Dr. Dobb's is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Channels ▼

Web Development

Digitally Signing and Verifying Messages in Web Services

Sitaraman Lakshminarayanan is an Enterprise Architect with over 11 years of IT experience in implementing software solutions based on Microsoft and Java platforms. He is the author of Oracle Web Services Manager: Securing Your Web Services, on which this article is based.

Confidentiality and integrity are two critical components of web services. While confidentiality can be ensured by means of encryption, the encrypted data can still be overwritten and the integrity of the message can be compromised. It is equally important to protect the integrity of the message, and digital signatures can help protect the integrity of the message. In this article, I describe how to digitally sign and verify messages in web services using Oracle Web Services Manager, which is a component of Oracle's SOA Suite -- a web services security and monitoring product that helps organizations not only to define and enforce security policies, but also to define and enforce the service level agreements. And one of the key components of Service Oriented Architecture is security.

Overview of Digital Signatures

In the web services scenario, XML messages are exchanged between the client application and the web services. Certain messages contain critical business information and, therefore, the integrity of the message should be ensured. Ensuring the integrity of the message is not a new concept, it has been there for a long time. The concept is to make sure that the data was not tampered with in transit between he sender and the receiver.

Consider, for example, that Alice and Bob are exchanging emails that are critical to business. Alice wants to make sure that Bob receives the correct email that she sent and no one else tampered with or modifi ed the email in between. In order to ensure the integrity of the message, Alice digitally signs the message using her private key, and when Bob receives the message, he will check to make sure that the signature is still valid before he can trust or read the email.

What is this digital signature? And how does it prove that no one else tampered with the data? When a message is digitally signed, it basically follows these steps:

  • Create a digest value of the message (a unique string value for the message using a SHA1 or MD5 algorithm).
  • Encrypt the digest value using the private key, known only to the sender.
  • Exchange the message along with the encrypted digest value.

Note: MD5 and SHA1 are message digest algorithms to calculate the digest value. The digest or hash value is nothing but a non-reversible unique string for any given data, i.e. the digest value will change even if a space is added or removed. SHA1 produces a 160-bit digest value, while MD5 produces a 128-bit value.

When Bob receives the message, his first task is to validate the signature. Validation of signature goes through a sequence of steps:

  • Create a digest value of the message again using the same algorithm.
  • Encrypt the digest value using the public key of Alice (obtained out of band or part of message, etc.)
  • Validate to make sure that the digest value encrypted using the public key matches the one that was sent by Alice.
  • Since the public key is known or exchanged along with the message, Bob can check the validity of the certificate itself.

Note: Digital certificates are issued by a trusted party such as Verisign. When a certificate is compromised, you can cancel the certificate, which will invalidate the public key. Once the signature is verifi ed, Bob can trust that the message was not tampered with by anyone else. He can also validate the certificate to make sure that it is not expired or revoked, and also to ensure that no one actually tampered with the private key of Alice.

Digital Signatures in Web Services

In the last section, we learned about digital signatures. Since web services are all about interoperability, digital-signature-related information is represented in an industry standard format called XML Signature (standardized by W3C). The following are the key data elements that are represented in an interoperable manner by XML Signature:

  • What data (what part of SOAP message) is digitally signed?
  • What hash algorithm (MD5 or SHA1) is used to create the digest value?
  • What signature algorithm is used?
  • Information about the certificate or key.

In the next section, I describe how the Oracle Web Services Manager can help generate and verify signatures in web services.

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.