Se­cu­ri­ty Ana­ly­sis of XAdES Va­li­da­ti­on in the CEF Di­gi­tal Si­gna­tu­re Ser­vices (DSS)

Nils En­gel­bertz, Vla­dis­lav Mla­de­nov, Juraj So­mo­rovs­ky, Nu­rul­lah Er­in­no­la, David Her­ring, Jörg Schwenk

Ab­stract

Wi­t­hin the Eu­ropean Union (EU), the eIDAS re­gu­la­ti­on sets legal bo­un­da­ries for cross- bor­der ac­cep­tan­ce of Trust Ser­vices (TSs) such as Elec­tro­nic Si­gna­tu­res. To fa­ci­li­ta­te com­pli­ant im­ple­men­ta­ti­ons, an open sour­ce soft­ware li­b­ra­ry to crea­te and va­li­da­te si­gned do­cu­ments is pro­vi­ded bythe eSi­gna­tu­re buil­ding­blockof­the­Con­nec­tin­g­Eu­rope­Fa­ci­li­ty(CEF).​Wesyste­ma­ti­cal­lye­va­lua­ted the va­li­da­ti­on logic of this li­b­ra­ry with re­gards to XML-ba­sed at­tacks. The dis­co­ver­ed vul­nerabi­li­ties al­lo­wed us to read ser­ver files and by­pass XML Ad­van­ced Elec­tro­nic Si­gna­tu­re (XAdES) pro­tec­tions. The se­rious­ness of the vul­nerabi­li­ties shows that there is an ur­gent need for se­cu­ri­ty best-prac­tice do­cu­ments and au­to­ma­tic se­cu­ri­ty eva­lua­ti­on tools to sup­port the de­ve­lop­ment of se­cu­ri­ty-re­le­vant im­ple­men­ta­ti­ons.

Tags: di­gi­tal, DTD;, Ser­vice;, Ser­vices, si­gna­tu­re, Si­gna­tu­re;, trust, xml, XSLT;