WHO DO YOU TRUST TO SECURE WEB SERVICES? The evolution of technology has placed important and often critical business services squarely in the middle of the Information Superhighway. While this trend is great for accessibility and interoperability, it creates an environment that is far from secure. The foundation of security is trust. Who do you trust to secure your Web services? OVERVIEW There are three major components of security. Authentication is the process of verifying that someone is who they say they are. A passport or driver's license is a common form of offline authentication. Authorization is the process of allowing a person or group a set of permissions or rights. This is the same process that allows "Employees Only" to enter the back kitchen of a restaurant. Finally, encryption is the process of hiding or obfuscating information (so that it isn't compromised while in transit). If you've ever had a magic decoder ring, then you know how this works. In order to secure Web services, it's necessary to address each of these components. You don't want just anyone using your Web services. Various methods are used to secure Web services. We'll look at a few of them. PASSWORD AUTHENTICATION Password authentication is one of the oldest methods of authentication. Most password authentication consists of two parts--an identifying name and the password itself. By knowing the password, you are implying that you "authentically" match the identification you are using; in other words, you are who you say you are. The problem with password authentication is that it's extremely easy to forge or falsely use an identifying name and password to pretend to be someone else. The reason for this is that many people use passwords that are easy to guess, such as a spouse's name, a pet's name, a birthday, an anniversary, or something else that's equally obvious. In cases where the password is more difficult to guess, it's possible to discover it through the dishonest practice of social engineering. HTTPS AND SSL Based on a technology called Secure Sockets Layer (SSL), HTTPS is the "secure" version of the Hypertext Transfer Protocol. SSL provides an encrypted TCP connection to the Web server (usually based on 56-bit or 128-bit keys). This encryption protects Web service communication across an SSL connection. There are a few issues with using HTTPS and SSL. First, there is a significant performance difference between HTTP and HTTPS; the encryption and decryption process takes more time than simply sending raw messages. Also, SSL only protects messages while they are in transit from the client to the Web server and back to the client; SSL cannot protect information sitting on the server or on the client. Finally, because SSL only provides point-to-point encryption rather than an end-to-end solution, it doesn't work as well for transactions where a message will be passed to multiple services. XML SIGNATURE AND XML ENCRYPTION In previous tips, we discussed the XML Signature and XML Encryption technologies developed by the World Wide Web Consortium (W3C) to address general issues of XML document security. These technologies can also be applied to Web services, because Web service data is based on XML documents. When transmitting data to and from Web services, digital signatures can protect the messages using XML Signature. This preserves the integrity of messages between two end points without the need to encrypt the data. If the data must be kept confidential while in transit, it can be encrypted using XML Encryption, which transforms data into a cipher. The cipher is an encrypted representation of the data, which is useless without the proper key to decrypt it. NEW TECHNOLOGIES Because XML and Web service technologies continue to evolve, new security options are becoming available. This includes the XML Key Management System (XKMS), a system for managing public keys that incorporates key registration and distribution. It also includes the Security Assertion Markup Language (SAML), which allows multiple systems to share security and authentication information, thereby improving the performance of secured Web services. Finally, it includes the Extensible Access Control Markup Language (XACML), which provides an XML solution to issues of authorization using Digital Rights Management (DRM) and other access control policies. Brian Schaffner is a senior consultant for Fujitsu Consulting. He provides architecture, design, and development support for Fujitsu's Telcom360 group. ----------------------------------------