02 WS Security

In this section, we will outline the key principles of web service security, including authentication, authorization, data integrity, and confidentiality.

  • Authentication: Ensures that users are who they claim to be, typically through mechanisms such as username and password, tokens, or digital certificates.

  • Authorization: Determines what authenticated users are allowed to do, implementing permissions and access controls to protect resources.

  • Data Integrity: Validates that data has not been altered or tampered with during transfer, often utilizing hashing algorithms and checksums.

  • Confidentiality: Protects sensitive information from unauthorized access through encryption techniques and secure communication protocols.

  • Non-Repudiation: Provides assurance that a sender cannot deny having sent a message and a recipient cannot deny having received it, often achieved using digital signatures and transaction logs.

1. Authentication

Ensures that users are who they claim to be.

Example: An e-commerce application like E-Mart accessing a bank's payment gateway web service, authentication is the process of verifying E-Mart's identity (e.g., through username and password) before the bank responds.

  • WS Security Standard Methods for Authentication:

    • Username Token Profile

    • X.509 Certificates

    • SAML (Security Assertion Markup Language): Used for Single Sign-On (SSO), allowing a client to log into one application and access multiple web service providers within an organization without re-authenticating.

2. Confidentiality

Protects sensitive information, such as credit card details or social security numbers, from unauthorized access during transfer. Even if a hacker intercepts the message, WS Security's encryption and decryption mechanisms ensure the data remains unreadable.

  • Process: Data is encrypted on the client side before sending, and decrypted on the server side upon receipt. The response is also encrypted before being sent back to the client.

3. Data Integrity

Guarantees that the message sent by the client application is exactly the same message received by the server application, preventing any unauthorized alteration or tampering during transfer.

  • WS-Security Signatures: Achieved by calculating a hash value of the message using an algorithm before sending it. This hash is included with the message. On the server side, the hash is recalculated and compared with the received hash; a mismatch indicates tampering.

4. Non-Repudiation

Provides assurance that a sender cannot deny having sent a message and a recipient cannot deny having received it. It also prevents replay attacks, where a captured, authenticated, and encrypted message is resent multiple times by a hacker to crash an application.

  • WS-Security Timestamps: Used to prevent replay attacks by ensuring messages are only valid within a specific time frame.