SOA implemented by Web services adds a new set of requirements to the security landscape:
- Authentication—Verifying that the user is who she claims to be. A user’s identity is verified based on the credentials presented by that user, such as:
- Something one has, for example, credentials issued by a trusted authority such as a passport (real world) or a smart card (IT world).
- Something one knows, for example, a shared secret such as a password.
- Something one is, for example, biometric information.
Using a combination of several types of credentials is referred to as « strong » authentication, for example using an ATM card (something one has) with a PIN or password (something one knows).
- Authorization (or Access Control)—Granting access to specific resources based on an authenticated user’s entitlements. Entitlements are defined by one or several attributes. An attribute is the property or characteristic of a user, for example, if « Marc » is the user, « conference speaker » is the attribute.
- Confidentiality, privacy—Keeping information secret. Accesses a message, for example a Web service request or an email, as well as the identity of the sending and receiving parties in a confidential manner. Confidentiality and privacy can be achieved by encrypting the content of a message and obfuscating the sending and receiving parties’ identities.
- Integrity, non repudiation—Making sure that a message remains unaltered during transit by having the sender digitally sign the message. A digital signature is used to validate the signature and provides non-repudiation. The timestamp in the signature prevents anyone from replaying this message after the expiration. For more information.
In many cases, Web services security tools such as OWSM rely on Public Key Infrastructure (PKI) environments.
A PKI uses cryptographic keys (mathematical functions used to encrypt or decrypt data). Keys can be private or public.
In an asymmetric cipher model, the receiving party’s public key is used to encrypt plaintext, and the receiving party’s matching private key is used to decrypt the ciphertext.
Also, a private key is used to create a digital signature by signing the message, and the public key is used for verifying the signature.
Public-key certificates (or certificates, for short) are used to guarantee the integrity of public keys.
the Web service security requirements:
- Use transport security to protect the communication channel between the Web service consumer and Web service provider.
- Use message-level security to ensure confidentiality by digitally encrypting message parts; integrity using digital signatures; and authentication by requiring username, X.509, or SAML tokens.
Sanae BEKKAR - My Blog - 
Laisser un commentaire