Core XML and Web Service Security Specifications
Core XML and Web Service Security Specifications
Prior to the drafting of the WS-Security and WS-Security Addendum specifications, which I will discuss in detail shortly, two specifications were proposed to secure XML data. These two XML security standards, known as XML-Signature Syntax and Processing (XML Signature) and XML Encryption Syntax and Processing (XML Encryption), have been recommended by the World Wide Web Consortium (W3C) and were leveraged as cornerstones of the WS-Security specification. Since these specifications are fundamental to the implementation of many security specifications, including WS-Security, I will discuss them before moving on to WS-Security.
XML Encryption
As with HTML, one of the major strengths of XML turns out to be one of its major security weaknesses, namely that the plaintext nature of XML makes it trivial for hackers to interpret messages that they intercept. As I mentioned earlier, the generally accepted method to prevent messages from being intercepted and read involves using a transport-level encryption scheme such as IPSec or SSL, which prevents attackers from being able to read message data. The drawback of this solution is that a Web service must decrypt the entire message in order to determine what it needs to do with it. In cases in which a service is merely intended to forward the message to a final recipient, a better solution is to encrypt only the critical message elements while leaving unencrypted the SOAP headers that must be accessed during transit. For example, consider the following example of a SOAP message fragment from a credit card transaction:
<Order Type="Purchase">
<UserName>
<LastName>Smith</LastName>
<FirstName>Joseph</FirstName>
</UserName>
<Payment Type="CreditCard">
<CreditCard Type="Amex">
<CardNumber>123456789123456</CardNumber>
<ExperationDate>1108</ExperationDate>
</CreditCard>
</Payment>
</Order>
Rather than being forced to encrypt the entire message transport, much of which might include other information that doesn t need to be secured, you can use the methods specified by the XML Encryption protocol to encrypt only the critical parts of the message, such as the CreditCard element. You might also choose to encrypt the entire Payment element, or even the entire Order or Body element. The following shows an example of the same XML fragment with the CreditCard element encrypted:
<Order Type="Purchase">
<UserName>
<LastName>Smith</LastName>
<FirstName>Joseph</FirstName>
</UserName>
<Payment Type="CreditCard">
<EncryptedData Type=
EAN: 2147483647
Pages: 79
- Chapter I e-Search: A Conceptual Framework of Online Consumer Behavior
- Chapter IV How Consumers Think About Interactive Aspects of Web Advertising
- Chapter VI Web Site Quality and Usability in E-Commerce
- Chapter VII Objective and Perceived Complexity and Their Impacts on Internet Communication
- Chapter XVIII Web Systems Design, Litigation, and Online Consumer Behavior
- Dividing a Large named.conf File into Multiple Files
- Configuring DNS to Let Clients Find the Closest Server
- Configuring Mail to Go to One Server and the Web to Another
- Configuring the Order in Which a Resolver Uses DNS, /etc/hosts, and NIS
- Configuring a Name Server to Send Queries from a Particular IPv6 Address