This chapter layers an information security foundation on top of the essential nature of the Web services established in the preceding chapter. A solid understanding of both is necessary to build secure Web services. Securing Web services requires securing the messages used to communicate between distributed systems and the applications that run on them. Web services add significant complexity to the basic problem of securing distributed systems because Web services employ shared services, and messages may follow multi-hop topologies. Instead of a focus on perimeter or network security, what is needed instead is persistent message-level security that delivers the core security principles of confidentiality, integrity, and non-repudiation to a distributed message-based architecture.
Shared key technologies are the key to confidentiality. Shared key is also referred to as symmetric key or secret key. In shared key encryption, the same key is used to encrypt and decrypt. This means the sender and recipient both need the same key but must find a way to share it and still keep it absolutely secret. Positive attributes of shared key encryption are that it is fast and can handle unlimited message size. However, getting the shared secret key to both ends of the conversation securely is very hard.
Kerberos is an alternative approach to shared keys that is useful only in a closed trust domain where all identities are known. Its importance to Web services security is that when services cross organizational boundaries and therefore cross trust domains, provisions have to be made to map between Kerberos and other trust environments.
Public key technologies are the key to integrity and non-repudiation. Public key encryption is also referred to as asymmetric encryption. Keys come in pairs, where one is used to encrypt and only its mate is used to decrypt messages. This technology is much slower than shared key encryption and is limited to small message sizes. However, it is of critical importance in key exchange to enable shared key encryption, and it is the basis for digital signatures. Public key encryption is used to securely establish secret shared keys in XML Encryption and is the core cryptographic technology used in XML Signature.
Public key encryption is at the heart of digital signatures. Hashing is also a critical security technology in digital signatures. A digital signature is an encrypted message digest of a hashed plaintext message sent along with the signer's public key and the original plaintext message. Signature verification involves using the sender's public key to decrypt the signed message digest and verifying that this exactly matches the locally computed message digest from the plaintext message also sent along. An XML Signature is a digital signature expressed in XML.
Trust issues are prevalent and fundamental to public key technologies. The private key must be kept secret and in the control of its owner without exception. The public key of an unknown identity must be vouched for by a trusted third party. Public keys need containers called digital certificates to transport them. Trusted third parties that issue digital certificates to identified individuals are called certificate authorities (CA). The infrastructure for dealing with CAs, certificates, and keys is called the Public Key Infrastructure (PKI). Numerous complex issues revolve around trusting the trusted third-party CAs. In a certification chain, one CA vouches for and signs the certificate of another CA. Root certificates are self-signed by a CA that is at the root of a certification chain and is so well known that its public keys are pre-installed in servers, browsers, and other repositories where applications can easily access them. A major issue for PKI in the past has been the lack of effective revocation in which the up-to-date validity of a certificate can be checked. This issue becomes even more critical for Web services.
Numerous Web services designed to deliver trust services are emerging. These services will include, but not be limited to, key management services, digital signature services, single sign-on services, access control services, hardware accelerators, and billing and metering.
Secure Socket Layer (SSL) is a mature, tried-and-true transport layer security. It works on HTTP, so it "just works" for Web services. All application servers support SSL. SSL supports two-way authentication, although its more common usage with browsers is one-way. SSL should always be considered first for Web services security because it is effective for message confidentiality in simple point-to-point Web services.
XML Security by Blake Dournaee (McGraw-Hill, 2002).
Web Services: A Technical Introduction by H. M. Deitel, P. J. Deitel, B. DuWaldt, and L. K. Trees (Prentice Hall, 2003).
Applied Cryptography, 2nd edition by Bruce Schneier (John Wiley, 1996).