Web Service Security-Introduction

Web Service is widely used by SOA. From the perspective of the current web service applications, the Web Service technology indeed has some significant advantages and has become an important representative of the current distributed technology. A notable feature of Web Service is loose coupling. The discoverability and platform independence of services. The self-descriptive descriptions of interfaces constitute this important feature of Web Services. Due to this feature, Web services are widely used in enterprise information integration, including information integration within the enterprise (information integration of different departments, information Integration Between legacy systems and new systems), including information integration between enterprises. This feature makes it easier and more feasible to form new applications by combining services and services. This is also the reason why Web services are widely used in SOA. When considering enterprise applications, security is a concern. The advantages of web service make security problems more challenging than ever before. Because Web services are widely used in inter-enterprise interaction, security boundaries are extended from the Intranet to the Internet, and security risks are also greatly increased. The idea of Service combination in SOA is as follows, this makes web service applications more dynamic. Service creators often cannot predict the environment in which the service will be used (such as the security authentication method used, in this case, it is more complicated to implement secure service access. At the same time, because Web services use XML-based and self-descriptive messages (in message-oriented mode, messages, even business entities), so how to ensure the security of messages has become a concern of Web Service Security. When we consider security issues, there are three fundamental concepts: confidentiality (confidentiality), integrity (integrity), authentication (Identity Authentication ). Confidentiality: confidentiality. Except for specific recipients, others cannot view the message content. The key (symmetric and asymmetric) is used to encrypt the message, thus ensuring the confidentiality of the message. Integrity: integrity. Ensure that the message is not modified during transmission. That is, the message held by the message recipient is exactly the same as the message sender. After the message is Digest (Digest), the key (symmetric, asymmetric) is used to encrypt the digest, thus ensuring message integrity. Authentication: identity authentication. Determine that the identity of the message sender is consistent with the user identity claimed in the message. The simplest way is to allow the user to send both the user name and password, and the recipient confirms the validity of the password to determine whether the user's identity is consistent with that represented by the user name. However, in actual applications, it is usually not so simple. The key is often used to encrypt a piece of information, and the receiver decrypts the information to confirm the identity. For example, in Kerberos protocol, a symmetric key is used to encrypt user identity information. The encrypted information is called an authenticator. The service provider decrypts the message to compare the identity with the identity in ticket to confirm the sender's identity. Message digests (Digital Signatures) encrypted by private keys (asymmetric keys) can also be used for identity authentication by message senders.
 

Note

From the above description, we can see that asymmetric keys often appear at the same time. For example, in confidentiality, we can use any one to encrypt messages. In integrity, they can also be used to encrypt summaries. So how can we determine which one to use for an interesting question?

Because the encryption and decryption speed of symmetric keys is much faster than that of asymmetric keys (about 1000 times), symmetric keys are generally used to encrypt messages. But one problem is how to publish symmetric keys? How do two unconnected users establish a shared key on the network? In this case, PKI is required to help us establish the shared key-that is, the Public Key in the asymmetric key is used to encrypt the shared key and transmit it to the owner of the private key. Therefore, we can conclude that symmetric keys encrypt common information and asymmetric keys encrypt symmetric keys. In integrity, the private key of an asymmetric key is used to encrypt the abstract. The result is a well-known digital signature (digital signature ). the HMAC (Hash Message Authentication codes) is obtained by using the symmetric key encryption digest ). While ensuring message integrity, they all have the identity authentication function. However, the former also has the anti-denial function, which is often indispensable in e-commerce, so everyone is more familiar with the former. Note: In confidentiality, asymmetric keys are encrypted with public keys and decrypted with private keys, While asymmetric keys are used in integrity. Web services have been widely used. How can we solve the security problem of Web Services? Before WS-Security is used, the security of the transport layer provided by HTTPS is used to ensure the security of web services running on this layer. From the previous security technology introduction, we can see that the most important thing to achieve Web Service Security is to allow service requestors and service providers to share a secret (symmetric key ). with a symmetric key, you can use it to encrypt messages to ensure their confidentiality (confidentiality). You can also use it to encrypt summaries to ensure message integrity and use it for identity authentication, this can be seen from both Kerberos and SSL protocols. In the Kerberos protocol, we introduce a third party (kdc) to publish keys. Initially, a key exists between service requestor (R) and KDC (K), and a key exists between KDC (K) and service provider (P. Then K generates the session key between R and P, which is encrypted with the key of R and P and then transmitted to them, in this way, R and p each have their own key (the session key generated by K) securely after decryption ). While SSL uses the Public Key Technology of PKI to implement key transfer, r first sends a greeting to P, and then P sends his certificate (certificate: contains the user name and the public key of the user, and signed by the CA) is sent to R. R generates keys between them, and then uses the public key of P in the certificate to encrypt the key and pass it to P, so that R and P have a secure key. HTTPS ensures the security of web services through this key (Our password is most often used for encryption ). It seems that SSL is relatively simple, but it is implemented based on PKI, while PKI is a complicated security infrastructure. However, due to the initial prerequisites, Kerberos often limits its applications to the network within an organization. Although HTTPS is widely used in Web Services to ensure security, this method also has many disadvantages, especially in the increasingly complex web service security requirements. 1. HTTPS provides point-to-point security protection, and Web Services feature that messages are usually delivered to the final service provider through multiple intermediaries. Each intermediary may also process messages, in other words, it requires end-to-end protection. This is obviously not provided by HTTPS. 2. HTTPS provides security at the transmission layer, not at the message layer, that is, only messages are available during transmission (encrypted ), once the destination is reached, it is in plain text. For example, important information can be stolen from the message queue. 3. After a shared key is established in https, the digital signature technology is not used for message transmission, so the anti-denial capability cannot be obtained. This is indispensable in e-commerce. 4. Because HTTPS provides the security of the transport layer, it is impossible to meet the flexibility required by message security. For example, encrypt some elements in a message, encrypt different parts of the message with different keys, so that different message recipients can view the corresponding information. Therefore, in order to meet the special security requirements of Web Services, companies such as IBM and MS have jointly formulated WS-Security specifications. Review three concepts of security: confidentiality (confidentiality), integrity (integrity), authentication (Identity Authentication), using SOAP (XML format) in Web Services) as a message transmission protocol, XML Digital Signature, XML encryption, and SAML (Security token in XML format) are generated respectively ), WS-Security combines them to meet the security requirements of Web Services.

The relevant content will be provided later.

References:
<Securing web services with WS-Security>

<Web service security scenarios, patterns, and implementation guidance
For Web Services enhancements (WSE) 3.0>

Recommended materials:
Performance Comparison: Security Design Selection

Series of articles