- Information Security In General
- Securing XML Documents: XML Signature, XML Encryption
- Applying XML Security to Web Services: Web Services Security
- Using XML and Web Services for Security
Applying XML Security to Web Services: Web Services Security
How can we leverage these XML security specifications in Web services? One answer to this question is the WS-Security specification which was proposed jointly by IBM, Microsoft, and VeriSign on April 11, 2002. This specification proposes a standard way to use XML Signature and XML Encryption in SOAP messages. In particular, it defines the <wsse:Security> header block to carry all security-related information regarding the message. By properly associating trust relationshipssuch as public key infrastructure (PKI) or KerberosWS-Security, together with XML Signature and XML Encryption, you provide end-to-end protection of your messages.
By "end-to-end," I mean that security is not compromised, even if there is an intermediary along the communication path. This configuration is common in cases in which the Web service is located in a private network and cannot be directly reached by a single transport connection. An intermediary is responsible for routing messages to the final destination. In this case, even if you use SSL/TLS for the communications at both ends of the intermediary (that is, between the requester and the intermediary and between the intermediary and the Web service), the intermediary can still see and modify the contents of the message.
On the other hand, WS-Security works at the message layer, not at the transport layer, so the message is protected, regardless of the existence of the intermediary or the transport used in each connection (see Figure 1).
Figure 1 Hop-by-hop security versus end-to-end security.
As discussed previously, XML Signature and XML Encryption are used to protect SOAP messages. (An example message is shown in Figure 2). In this case, the message body is signed by the key contained in a Kerberos ticket (here, HMAC is used as a signature algorithm) and is then encrypted by the same key. The WS-Security specification is quite flexible, so it allows the use of other security tokens, such as X.509 certificates for binding keys to signature and encryption. It also allows tokens to carry other security-related information, such as authentication and authorization information.
Figure 2 Sample protected SOAP envelope.
This is a very important step toward interoperable security solutions for Web services. At the same time WS-Security was published, IBM and Microsoft published a roadmap document that describes what other specifications will be developed on top of WS-Security.