The Foundations of Web Services Security
Web Services Security Models
The Web services security model can be broadly classified as:
- Transport-level Security
- Message-level security
Transport-level security (SSL)
Secure Sockets Layer is a protocol developed by Netscape for transferring data via the Internet in a secure manner. SSL works by using a private key to encrypt; the key is transferred over the SSL connection. SSL is used to provide transport-level security for the Web services applications. It provides security features including authentication, data integrity, and data confidentiality. SSL enables a peer-to-peer secure session. This basically encrypts the whole of the message on the wire at the transport level rather than the application level.
- SSL is designed to provide point-to-point security. In Web services, there may be multiple intermediary nodes before invoking the actual service. In such cases, SSL may not be able to provide end-to-end security between the client and the actual Web service; rather, it could provide security between the client and the first intermediary.
- SSL encrypts at the transport level and not at the application-message level. Web services might need to secure only part of the SOAP message. This is not feasible with SSL. In other words, SSL does not provide element-wise encryption. As in the banking service example, the enterprise would like to encrypt only the creditAccount, debitAccount, and amount details.
Now that you have seen the limitations of Transport level security, you can explore the capabilities provided by the Message-Level Security model. There are various XML-based security standards emerging in the industry, each trying to address message-level security. Following are some of the popular standards:
XML Encryption: The XML Encryption specification is defined by W3C and addresses the issue of data confidentiality using encryption techniques. Encrypted data is wrapped inside XML tags defined by the XML Encryption specification. For more information, see http://www.w3.org/Encryption/.
XML Signature: The XML Signature is the specification initiated and defined by W3C and IETF. It provides message-level data integrity and authentication wrapped inside an XML format. For more information, see http://www.w3.org/Signature/.
WS-Security: WS-Security is the standard defined by OASIS and provides a mechanism for data integrity, confidentiality, and single message authentication features within a SOAP message. WS-Security makes use of the XML Signature and XML Encryption specifications and defines how to include digital signatures, message digests, and encrypted data in a SOAP message. WS-Security also provides a general-purpose mechanism for associating security tokens with messages.
The following table details the various Web services standards available defined by the specific standard group. It also captures the various implementations of the standards available in the market and the features of each of the products.
|Transport Level||SSL||Netscape||Sun Weblogic||Data Integrity|
|Message Level||XML Encryption||W3C||SS4J Apache-XML-Security-J
Baltimore Key tools
Baltimore Key tools
|WS-Security||OASIS||Apache WSS4J (Axis)
Trust Service Integration Kit (TSIK)(VeriSign)
Now, considering your banking service implemented and deployed using the Message-Level security model, the following diagram shows the sample wire SOAP message format that will flow from the client to the service. Now, because the SOAP message is encrypted, any unauthorized client or hacker cannot create or tamper with the SOAP message on the wire and invoke the actual Web service, thus ensuring the security of the end service.
This article captured the various prominent Web services security standards prevailing in the market and the implementations available. This article has focused only on the widely used standards.
- XML Signature: http://www.w3.org/Signature/
- XML Encryption: http://www.w3.org/Encryption/
- WS-Security: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
- For more details on XSS4J, see http://www.alphaworks.ibm.com/tech/xmlsecuritysuite
- For more details on Apache-XML-Security-J, see http://xml.apache.org/security/
- For more information on XML Security by Verisign, see http://www.xmltrustcenter.org/xmlsig/index.htm
About the Authors
Kumar Raj Moorthy has been working as an associate software analyst for the telecom mobility division of Hewlett-Packard, India. He has a Bachelor of Engineering degree in the field of computer science from the Bharathiyar University, India. He has more than six years of software industry experience involving Web services, WS Security, J2EE technologies in enterprise application, and telecom domain. He is currently involved in design and development of Service Delivery Platform using SOA for telecom providers. He can be reached at firstname.lastname@example.org or email@example.com.
Ayyappan Gandhirajan holds a Bachelor's degree in Electronics & Communication Engineering from MK University, India and is pursuing a Master's in Software Systems from BITS, Pilani. He has been working as an associate system analyst for Hewlett-Packard, Bangalore. He has more than six years of software experience involving Web services, WS Security, and J2EE technologies. He is currently involved in Web services orchestration and access controllers. He can be reached at firstname.lastname@example.org or G_Ayyapparaj@yahoo.com.
Page 2 of 2