Security: protecting data in your NoSQL systems - Making Sense of NoSQL

Databases Reference

In-Depth Information

Enforcement Agency ID Number), drug description, quantity, and date are digitally

signed, but other parts of the document aren't included in the final string to be

signed.

Listing 11.1

Adding a digital signature to a document

<ds:Signature>

<ds:SignedInfo>

<ds:CanonicalizationMethod Algorithm="xml-exc-cl4n#"/>

<ds:SignatureMethod Algorithm="xmldsig#rsa-sha256"/>

<ds:Reference>

<ds:Transforms>

<ds:Transform

Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">

<ds:XPath> concat ( Message/Body/*/Prescriber/Identification/

DEANumber/text(),

Message/Body/*/MedicationPrescribed/DrugDescription/text(),

Message/Body/*/MedicationPrescribed/Quantity/Value/text(),

Message/Body/*/MedicationPrescribed/WrittenDate/text() )

</ds:XPath>

</ds:Transform>

</ds:Transforms>

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/

xmldsig#sha256"/>

<ds:DigestValue>UjBsR09EbGhjZ0dTQUxNQUFBUUNBRU1tQ1p0dU1GUXhEUzhi

</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue>XjQsL09EbGhjZ0dTQUxNQUFBUUNBRU1tQ1p0dU1GUXhEUzhi

</ds:SignatureValue>

<ds:KeyInfo> ...

</ds:KeyInfo>

</ds:Signature>

One useful rule in digital signatures is to “only sign what the users see.” To get consis-

tent digital signatures of XML prescriptions and avoid the problems with changing ele-

ment names and canonicalization, XPath expressions can be used to extract only the

values from XML elements and exclude all the element names and paths from the

string that's signed. As long as both the transmitter and receiver use the same XPath

expressions, the digital signature will match. The DigSig standard allows you to specify

precisely the path expressions that you used to sign the documents.

Use SHA-256

hash

algorithm

Rules to get

text within

the document

you sign

11.2.5

Protecting pubic websites from denial of service

and injection attacks

Databases with public interfaces are vulnerable to two special types of threats:

denial of service ( DOS ) and injection attacks .

A DOS attack occurs when a malicious party attempts to shut down your servers by

repeatedly sending queries to your website with the intention of overwhelming it and

preventing access by valid users. The best way to prevent DOS attacks is by looking for

repeated rapid requests from the same IP address.

Making Sense of NoSQL

Search WWH ::

Custom Search

Home