XML Security Standards in Action
"Once you've chosen good cryptographic algorithms and standards, avoiding errors of implementation and deployment is the most important aspect of achieving real security," said Kermaier. To help developers avoid such missteps, he outlined the four main aspects of Web services security in which each of the XML standards can be used:
- Data integrity Ensuring data wasn't modified in transit (XML signature and XML encryption)
- Data confidentiality Ensuring data is visible only to the intended recipient (symmetric and public key encryption)
- Key management Ensuring reliable key distribution (traditional and proprietary PKI schemes)
- Authentication/identity management Ensuring users of the service are who they claim to be (SAML, Liberty Alliance, access controls, and user directories)
Data Integrity and Confidentiality
Developers traditionally have relied on SSL to ensure the type of transaction layer security (TLS) that supports data integrity and confidentiality. In the realm of Web services, however, TLS comes up a little short. TLS for a Web service is an all-or-nothing proposition, because it doesn't allow developers to apply different levels of security to different parts of a document. TLS also doesn't support secure persistent data nor does it leave an audit trail. Chained services and workflow applications are left out of TLS because of its point-to-point structure.
The solution Kermaier proposes is moving security inside the message document with XML signature and XML encryption, which developers can use to protect non-XML data as well. These standards allow developers to sign and encrypt elements within a document, and Kermaier believes that "developers who are already doing message-level processing, such as SOAP header inspection, should not find adding message-level security conceptually difficult." He added, "encapsulating the security services in modular components allows changes and updates to be applied with minimal disruption of the code that implements an application's business logic."