Fundamentals of Data Security (Web Services Application and Security, Part 3)

As Web Services are concerned, it has a scope beyond the transport level and there is exchange of data between disparate services. The data integrity is a critical factor that affects the security of the Web Service application. Web Services use XML as a communication media for data exchange among the services, so we need to take care of the secure transformation of XML data. There are industry-standard specifications such as XML encryption, XML Signature, and XML Key Management available to use XML data in a secure fashion.

Data cryptography is the art of securing the resource that is shared among the applications. Before going into details about standard specifications available for Web Service's data security, let us discuss the following cornerstones of Data Cryptography.

• Encryption & Decryption of data
• Authentication & Authorization of access to data
• Digital signature & Certification Authorities (CA)

The objective of this article is to bring out key approaches that are involved in the Encryption and Decryption of the data in the way to make an application secure.

Encryption & Decryption of Data

We can go for the encryption of data when the application needs to handle the transaction of data in highly secure way. The design of the encryption and decryption algorithm is based on a key-based mathematical approach.

• Encryption and Decryption are the fundamental approaches to implementing data security. Encryption converts the data into some digest form to make the data secure over the network. The Decryption process changes the encrypted data back into its original form.
• Encryption does not allow the accessing the data until/unless there are permitted parameters to decrypt the rules that are governed by the encryption process. Encryption offers the locking of particular data, whereas Decryption is the process that unlocks the data.

There are two approaches to encrypt and decrypt the data:

1. Private, or Symmetric, key encryption
2. Public, or Asymmetric, key encryption

These two approaches are addressed in the following sections.

Private, or Symmetric, key encryption

In Private key encryption, a single key is used for both the encryption and decryption of the data; this key is called the private key. In this approach, the business partners who are involved in the transactions should keep the key secret.

The Private key approach has limitations in terms of generating and maintaining separate private keys for each customer. It is not a proven approach for the implementing of complex and potential real-time business applications, so it is almost never used.

Limitations:

• The organization has to maintain a separate key for each customer.
• It should maintain many numbers of keys when the potential of business transactions increases.
• The exchange of the secret key should be very confidential. Otherwise, hackers can misuse it.

Public, or Asymmetric, key encryption

Public key encryption is one that contains two keys: Public key and Private key. They are used for the encryption and decryption of the data. In simple words, a public key is a freely available key that is used for the encryption of the data, whereas the private key is the master key used for decryption of the encrypted data. The private key is not exposed to the outside world and it is kept secret. Key-generation tools are used to generate this pair of keys.

Public key encryption is critical for the development of a secure, distributed application. Public key encryption provides the best and most efficient mechanism to maintain the confidentiality of data. Public key is a proven encryption approach that provides a key distribution among the shared parties.

Sample Scenario

Suppose Enterprise X needs to do secure transactions with its customers. It has to give the option to its customers to make their transactions secure. If Enterprise X has to maintain a separate securing process for each of its customers, it is very difficult to handle transactions with a large customer base.

The following series of steps describes how public cryptography helps to implement a key-based, secure application.

Enterprise X publishes the public key as freely available through the Internet or any other media for communication. Anybody can get a public key from X and use it without any restrictions.

• Public key Cryptography allows a public key to be widely distributed or make it freely available to customers.

• Suppose A is customer of Enterprise X. A wants to complete a secure business transaction with X.
  Customer A needs a mechanism to encrypt his data. Enterprise X should provide a key to the customers, who the can make use of that key to encrypt their data. This key is called a Public key, which is freely available over the Web, e-mail. or any other media.

  

• Customer A gets the public key from Enterprise X and uses it to encrypt his data.

  

• Once Customer A has encrypted his data using his public key, he can send it to X.

  Note: There is no chance of decrypting encrypted data with a public key.

  Suppose B is another customer of Enterprise X and B has received Customer A's encrypted data. B cannot evaluate the encrypted data into actual data or a decrypted form even though it has a public key with it.

  B needs the private key to decrypt the data. The private key is not exposed/distributed by Enterprise X and it is kept secret.

  

• Finally, Enterprise X gets A's encrypted data and it can be decrypted using the private key that is owned by X.

Benefits of Public Key encryption:

• It guarantees the confidentiality of data transfer across untrusted networks.
• Public key encryption is best suited for an organization that has a huge number of customers and many applications are deployed to support secure transactions.
• Public Key cryptography is a proven approach for commercial applications/e-commerce sites that are using credit card transactions over the Internet.

Limitations of Public Key encryption:

• Public key encryption is relatively expensive, and is not suited to encrypting large volumes of data.
• Though Web Services needs encryption data that is exchanged among services, traditional Public Key cryptography is not an exact fit to the Web Services model.
• In the Web service model, we need only a set of service parameters to be encrypted. The encryption of whole XML documents causes parsing problems when it is decrypted. So, we have to apply the encryption strategies that are designed for XML.

Summary

In this article, we have seen various key-based approaches that are involved in the encryption and decryption of data. Key cryptography does not fulfill all the requirements of a secure application. It does not address the trustworthiness or digital signature of documents.

Key cryptography is the one of the main entities in the Public Key Infrastructure (PKI) and it is the backbone for other two entities (authentication & authorization) and (Digital Signature & Certificate Authority). In the coming article, we will discuss more about authentication & authorization of data and their role in Web Services model.

About the Author

Sridhar Ravuthula is a senior software engineer with Hewlett-Packard, India. He has a master's degree in computer applications. Sridhar has been involved in designing and developing J2EE-based solutions on various platforms. He has worked in flagship product development, e-speak, and HP Bluestone (HPAS). He has good knowledge and hands-on experience in Web Services technologies. You can reach him at sridhar_ravuthula@hp.com or sridharravatula@yahoo.co.uk.