Section 19.6.  Security

Previous page
Table of content
Next page
Prev don't be afraid of buying books Next

19.6. Security

It takes a good deal of trust to rely on a Web service from outside your company, possibly from a supplier who is known only to your computer! In fact, the software industry may have to scale back its (revenue) hopes and ambitions for Web services for precisely that reason.

But it's not going to quit without trying, so there has been a flurry of development in security standards and tools. Two security issues that are vital for Web services messages concern hiding them from prying eyes and verifying whom they're from: encryption and identification.

19.6.1 Encryption

You may have created a ZIP archive with a tool that gives you the option of protecting the archive with a password. If you send such a password-protected archive to a friend, he'll be prompted for the password in order to open the archive. Without the password, the archive is indecipherable.

In cryptographic terms, that password is a key with which the sending system encrypts the ZIP archive. Since the sender and recipient both use the same key, the process is called symmetric cryptography – the fastest kind.

The problem with symmetric cryptography is communicating the key. How can you do that securely? You could encrypt it, but then you would need to transmit the key to the original key, and so on.

And what if the key is stolen?

A popular solution to this, er, key problem is called public key cryptography, which is asymmetric cryptography. Instead of a single symmetric key, shared by both parties, there is a mathematically-related pair of keys. You keep your own private key and you distribute a related public key to your friends so they can send you encrypted email. They encrypt their messages to you by using your public key, but you decrypt them using your private key.[7]

[7] At least that's the way it seems, but because symmetric cryptography is so much faster, the sender's software actually encrypts the message with a randomly-generated symmetric key. It then encrypts the symmetric key with your public key so your software can decrypt it with your private key, and then use the decrypted symmetric key to decrypt the message. Whew!

A system for deploying public key cryptography is called a public key infrastructure (PKI). It requires a means of managing public keys. The certificates that are the cause of so many mysterious messages from your Web browser are actually descriptions of public keys, digitally signed by a Certification Authority (CA).

19.6.2 Identification

One of the most basic security questions is "Who goes there?" – the question of user identification.

For documents, the classic means of identification is the signature. The signed name provides identification and the uniqueness of handwriting provides a (less-than-perfect!) means of authentication.

Just as in the written world, the digital signature is intended to identify and authenticate the author of a machine-readable document. The authentication is provided by public key encryption – but operating in reverse! A digital signature is encrypted with the signer's private key and decrypted with the public key.

XML Signature is a W3C specification for representing digital signatures in XML. With XML Signature, it is possible to attach signatures to any object, whether it be XML or binary, standardized or proprietary.

When you sign a printed contract, your signature goes on the last or only piece of paper of the contract (and perhaps you also initial every page). That way, the signature cannot be shifted to a different contract from the one you signed originally. This procedure maintains the integrity of the signed contract.

Similarly, an XML signature is generated in a way that binds it to a single object. The receiver can check that the object has not changed by looking at a summary (hash) of it embedded in the signature. The digital signature acts as a seal, but without the messy hot wax!

The receiver can also, of course, use the sender's public key to check that the signature was generated by his private key. If both tests are successful, then the recipient has got exactly the message that was signed and knows exactly who sent it.

Just as with printed signatures, digital signatures serve as a basis for non-repudiation. In other words, they prove that you endorsed the signed content. If you claim that you did not agree to a (digital) contract that has your (digital) signature, you had better have proof that your (private) key was stolen!
Amazon

Previous page
Table of content
Next page
XML in Office 2003. Information Sharing with Desktop XML
XML in Office 2003: Information Sharing with Desktop XML
ISBN: 013142193X
EAN: 2147483647
Year: 2003
Pages: 176
Authors: Charles F. Goldfarb, Priscilla Walmsley
BUY ON AMAZON
Lotus Notes and Domino 6 Development (2nd Edition)
101 Microsoft Visual Basic .NET Applications
Mastering Delphi 7
InDesign Type: Professional Typography with Adobe InDesign CS2
Sap Bw: a Step By Step Guide for Bw 2.0
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy