Web Services Security (WS Security)
Definition - What does Web Services Security (WS Security) mean?
Web Services Security (WS Security) is a specification that defines how security measures are implemented in web services to protect them from external attacks. It is a set of protocols that ensure security for SOAP-based messages by implementing the principles of confidentiality, integrity and authentication.
Because Web services are independent of any hardware and software implementations, WS-Security protocols need to be flexible enough to accommodate new security mechanisms and provide alternative mechanisms if an approach is not suitable. Because SOAP-based messages traverse multiple intermediaries, security protocols need to be able to identify fake nodes and prevent data interpretation at any nodes. WS-Security combines the best approaches to tackle different security problems by allowing the developer to customize a particular security solution for a part of the problem. For example, the developer can select digital signatures for non-repudiation and Kerberos for authentication.
Techopedia explains Web Services Security (WS Security)
The aim of WS-Security is to ensure that communication between two parties is not interrupted or interpreted by an unauthorized third party. The receiver needs to be assured that the message was indeed sent by the sender, and the sender should be assured the receiver cannot deny receiving the message. Finally, the data sent during communication should not be altered by an unauthorized source. All data related to security is added as part of the SOAP header. Therefore, a considerable overhead is imposed on the SOAP message formation when security mechanisms are activated.
WS-Security SOAP Header:
The developer is free to choose any underlying security mechanism or set of protocols to achieve their goal. Security is implemented using a header which consists of a set of key-value pairs where the value changes appropriately with changes in the underlying security mechanism used. This mechanism helps to identify the caller’s identity. If a digital signature is used, the header contains information about how the content has been signed and the location of the key used to sign the message.
Information related to encryption is also stored in the SOAP header. The ID attribute is stored as part of the SOAP header, which simplifies processing. The timestamp is used as an additional level of protection against attacks on the message integrity. When a message is created, a timestamp is associated with the message indicating when it was created. Additional timestamps are used for the expiry of the message and to indicate when the message was received at the destination node.
WS-Security Authentication Mechanisms
- Username/Password approach: The username and password combination is one of the basic authentication mechanisms used, and is analogous to HTTP Digest and Basic based authentication methods. The username token element is used to pass user credentials for authentication. The password can be transported as plain text or in digest format. When the digest approach is used, the password is encrypted using the SHA1 hashing technique.
- X.509 approach: This approach identifies the user by a public key infrastructure which maps the X.509 certificate to a particular user. More security can be added by using a public key and a private key to encrypt and decrypt the X.509 certificate. To ensure that messages are not replayed, a time limit can be set to decline messages which arrive after a certain elapsed duration.
- Kerberos: The concept of a ticket forms the underlying mechanism of Kerberos. The client needs to authenticate with a key distribution center (KDC) using a username/password combination or an X.509 certificate. On successful authentication, the user is granted a ticket granting ticket (TGT). Using the TGT, the client tries to access a ticket granting service (TGS). At this step, the first two roles of identification and authorization are over. The client then requests a service ticket (ST) to acquire a particular resource from the TGS and is granted the ST. The client uses the ST to access the service.
- Digital Signature: XML signatures are used to protect the message from modification and interpretation. The signing must be performed by a reliable party or the real sender.
- Encryption: XML encryption is used to protect data from interpretation by making it unreadable to an unauthorized third party. Both symmetric and asymmetric approaches can be used.
WS-Security allows existing security mechanisms to be leveraged appropriately to prevent any overhead in incorporating new mechanisms.