Information Technology Reference
In-Depth Information
2 Status Analysis of Web Service Security
Key capability of Web service is to provide an integrated, comprehensive, interactive,
and easily integrated solution. Currently, SSL (Secure Socket Layer) and TLS
(Transport Layer Security) is used to provide Web services security in transport layer.
SSL/TLS in point to point session can complete such requests, including auditing,
data integrity, and confidentiality. IPSec in network layer is an important standard for
Web service security. Similarly with SSL/TLS, it also provides host audit
authentication, data integrity and data confidentiality functions. Since SSL/TLS is a
point to point security transmission solving solution, while for the end to end security
transmission solving solution, many standardization organizations, companies and
research institutions home or abroad all research XML-based security standards of
Web Services. Currently, the proposed XML security agreements are: XML Digital
Signature, XML Encryption, SAML (Security Assertion Markup Language), XACML
(Extensible Access Control Markup Language), XML Key Management
Specification, SOAP security extensions, etc. Apart from these XML security
protocols, the most authoritative and comprehensive security problem of Web service
was Web service security specifications/WS-Security which was jointly put forward
by Microsoft, IBM, and VeriSian Company in Apr. 2002. This is a mechanism that
can guarantee the safe exchange of SOAP message. WS-Security particularly
describes the enhancement to the existing SOAP information transmission, providing
protection level by recognizing the application integrity of SOAP information,
message confidentiality and single message authentication. These basic mechanisms
can be combined in various ways to build multiple security models that used a variety
of encryption technologies. WS-Security is primarily a standard in XML-based secure
metadata container, having secure sockets layer SSL
Secure Socket Layer
, XML
Encryption, XML Signature [1,2].
WS-Security specification itself neither proposes a new encryption algorithm or
security model, nor provides a complete security solution, so WS-Security itself does
not guarantee safety. It merely provides a framework; users are freely to combine
Web service protocol, application layer protocol, a variety of encryption and security
model to achieve message integrity, confidentiality and message authentication under
Web service environment. Achieved WS-Security does not mean that an application
system will not be attacked, nor means that security will not be threatened.
Therefore, factors that will possible affect the security of Web service are: how to
identify the identification of communication parties (personal identification and
verification); how to send message without seen by unauthorized person, or get (data
confidentiality); how to ensure that the message received has not been modified (data
integrity); how to ensure legitimate users to operate within a specified range
(authorization and access control); how to ensure that the sender can not deny he send
the message (undeniable).
Search WWH ::
Custom Search