XML Standards Provide Web Services Security

XML Standards Provide Web Services Security

verybody’s talking about Web services. It’s the buzz term of the moment. The promise of application-to-application interactions using remote procedure calls over Web connections has grabbed the attention of many in the IT industry. As is often the case with new technologies, however, what Web services can do is discussed much more often than the security implementations that they require. This year’s RSA Conference in San Francisco devoted an entire track of sessions to secure Web services, indicating that the organizers recognize the importance of security in this burgeoning technology?and developers should also.

Ari Kermaier’s session, “Securing Web Services: XML Security Standards in Practice” gave developers an understanding of how they could implement the maturing XML security standards into their Web services applications. Kermaier, an engineering manager at Phaos Technology, illustrated the use of these standards in an end-to-end solution.

XML and Interoperable Security
Kermaier asserts that “XML is the format of choice for Web services, and a large number of protocols have emerged for XML from standards bodies like the W3C, OASIS, and the Liberty Alliance.” In fact, the number of standards and protocols is so large and comes from so many disparate sources that making sure Web services of all flavors can talk to each other is a major concern.

“I can’t emphasize enough the importance of open standards and interoperability testing to the success of Web services security,” stressed Kermaier. “The promise of Web services relies on common standards for locating and accessing resources (WSDL, UDDI, etc.), and Web service security standards will succeed largely to the degree that vendors and developers prioritize interoperability.”

To that end, Kermaier used three XML security standards in his demonstration that he believes are fairly mature and well suited to implementing Web services security today:

  • XML signature ? a standard that supports various digital signature configurations (W3C recommendation)
  • XML encryption ? a standard that supports different encryption types (W3C recommendation)
  • XML Key Management Specification 2.0 (XKMS) ? a collection of protocols for key management via a Web service (W3C working draft)

XML Security Standards in Action
“Once you’ve chosen good cryptographic algorithms and standards, avoiding errors of implementation and deployment is the most important aspect of achieving real security,” said Kermaier. To help developers avoid such missteps, he outlined the four main aspects of Web services security in which each of the XML standards can be used:

  • Data integrity ? Ensuring data wasn’t modified in transit (XML signature and XML encryption)
  • Data confidentiality ? Ensuring data is visible only to the intended recipient (symmetric and public key encryption)
  • Key management ? Ensuring reliable key distribution (traditional and proprietary PKI schemes)
  • Authentication/identity management ? Ensuring users of the service are who they claim to be (SAML, Liberty Alliance, access controls, and user directories)

Data Integrity and Confidentiality
Developers traditionally have relied on SSL to ensure the type of transaction layer security (TLS) that supports data integrity and confidentiality. In the realm of Web services, however, TLS comes up a little short. TLS for a Web service is an all-or-nothing proposition, because it doesn’t allow developers to apply different levels of security to different parts of a document. TLS also doesn’t support secure persistent data nor does it leave an audit trail. Chained services and workflow applications are left out of TLS because of its point-to-point structure.

The solution Kermaier proposes is moving security inside the message document with XML signature and XML encryption, which developers can use to protect non-XML data as well. These standards allow developers to sign and encrypt elements within a document, and Kermaier believes that “developers who are already doing message-level processing, such as SOAP header inspection, should not find adding message-level security conceptually difficult.” He added, “encapsulating the security services in modular components allows changes and updates to be applied with minimal disruption of the code that implements an application’s business logic.”Key Management
Kermaier said, “making sure that your keys are securely stored and accessed, particularly in a distributed service deployment, is crucial. In a similar vein, implementers must carefully consider how sensitive data is stored and retrieved by the Web service.” XKMS is the standard that addresses these imperatives.

XKMS locates signer or recipient public keys, validates public key certificates, and supports core PKI functions such as key pair generation. Because it is Web service-based, XKMS removes all of its functions from the application domain.

As an example of where key management comes into play for the Web service developer, Kermaier offered the following scenario: “a distributed J2EE application using stateful session beans with container-managed state needs to be designed to make sure that secrets and keys are not unexpectedly serialized in ways that expose the data inappropriately. It is these kinds of implementation details that present a challenge to the developer who needs to incorporate strong security into Web services.”

Authentication and Identity Management
Kermaier cited SAML and Project Liberty as solutions for authentication and identity management in the Web services space. SAML offers a flexible, extensible, and abstract framework for businesses and Web services to exchange security information about their users. Project Liberty, which Kermaier calls “a giant step toward achieving interoperability goals in the realm of authentication and identity management,” uses SAML to define several profiles that developers can use to implement single sign-on and federated identity for their users.

Interoperability Is Key
Looking down the road of Web services security development, which developers, standards bodies, and vendors have only just begun to travel, Kermaier places interoperability above all other goals. “The key to successfully applying Web services security protocols will be interoperability. If implementers adhere to the open standards and participate in industry interoperability testing, the higher-level security protocols built on XML signatures and encryption will have a much better chance of reaching maturity and widespread adoption.”

devx-admin

devx-admin

Share the Post:
Game Changer

How ChatGPT is Changing the Game

Johannah Lopez October 3, 2023

The AI-powered tool ChatGPT has taken the computing world by storm, receiving high praise from experts like Brex design lead, Pietro Schirano. Developed by OpenAI,

Future of Cybersecurity

Cybersecurity Battles: Lapsus$ Era Unfolds

Lila Anderson October 3, 2023

In 2023, the cybersecurity field faces significant challenges due to the continuous transformation of threats and the increasing abilities of hackers. A prime example of

Apple's AI Future

Inside Apple’s AI Expansion Plans

Jordan Williams October 3, 2023

Rather than following the widespread pattern of job cuts in the tech sector, Apple’s CEO Tim Cook disclosed plans to increase the company’s UK workforce.

AI Finance

AI Stocks to Watch

Noah Nguyen October 3, 2023

As investor interest in artificial intelligence (AI) grows, many companies are highlighting their AI product plans. However, discovering AI stocks that already generate revenue from

Web App Security

Web Application Supply Chain Security

Grace Phillips October 2, 2023

Today’s web applications depend on a wide array of third-party components and open-source tools to function effectively. This reliance on external resources poses significant security

Thrilling Battle

Thrilling Battle: Germany Versus Huawei

Lila Anderson October 2, 2023

The German interior ministry has put forward suggestions that would oblige telecommunications operators to decrease their reliance on equipment manufactured by Chinese firms Huawei and

Game Changer

How ChatGPT is Changing the Game

Johannah Lopez October 3, 2023

The AI-powered tool ChatGPT has taken the computing world by storm, receiving high praise from experts like Brex design lead, Pietro Schirano. Developed by OpenAI, ChatGPT is known for its

Future of Cybersecurity

Cybersecurity Battles: Lapsus$ Era Unfolds

Lila Anderson October 3, 2023

In 2023, the cybersecurity field faces significant challenges due to the continuous transformation of threats and the increasing abilities of hackers. A prime example of this is the group of

Apple's AI Future

Inside Apple’s AI Expansion Plans

Jordan Williams October 3, 2023

Rather than following the widespread pattern of job cuts in the tech sector, Apple’s CEO Tim Cook disclosed plans to increase the company’s UK workforce. The main area of focus

AI Finance

AI Stocks to Watch

Noah Nguyen October 3, 2023

As investor interest in artificial intelligence (AI) grows, many companies are highlighting their AI product plans. However, discovering AI stocks that already generate revenue from generative AI, such as OpenAI,

Web App Security

Web Application Supply Chain Security

Grace Phillips October 2, 2023

Today’s web applications depend on a wide array of third-party components and open-source tools to function effectively. This reliance on external resources poses significant security risks, as malicious actors can

Thrilling Battle

Thrilling Battle: Germany Versus Huawei

Lila Anderson October 2, 2023

The German interior ministry has put forward suggestions that would oblige telecommunications operators to decrease their reliance on equipment manufactured by Chinese firms Huawei and ZTE. This development comes after

iPhone 15 Unveiling

The iPhone 15’s Secrets and Surprises

Jordan Williams October 2, 2023

As we dive into the most frequently asked questions and intriguing features, let us reiterate that the iPhone 15 brings substantial advancements in technology and design compared to its predecessors.

Chip Overcoming

iPhone 15 Pro Max: Overcoming Chip Setbacks

Noah Nguyen October 2, 2023

Apple recently faced a significant challenge in the development of a key component for its latest iPhone series, the iPhone 15 Pro Max, which was unveiled just a week ago.

Performance Camera

iPhone 15: Performance, Camera, Battery

Johannah Lopez October 2, 2023

Apple’s highly anticipated iPhone 15 has finally hit the market, sending ripples of excitement across the tech industry. For those considering upgrading to this new model, three essential features come

Battery Breakthrough

Electric Vehicle Battery Breakthrough

Grace Phillips October 2, 2023

The prices of lithium-ion batteries have seen a considerable reduction, with the cost per kilowatt-hour dipping under $100 for the first occasion in two years, as reported by energy analytics

Economy Act Soars

Virginia’s Clean Economy Act Soars Ahead

Lila Anderson October 2, 2023

Virginia has made significant strides towards achieving its short-term carbon-free objectives as outlined in the Clean Economy Act of 2020. Currently, about 44,000 megawatts (MW) of wind, solar, and energy

Renewable Storage Innovation

Innovative Energy Storage Solutions

Jordan Williams October 2, 2023

The Department of Energy recently revealed a significant investment of $325 million in advanced battery technologies to store excess renewable energy produced by solar and wind sources. This funding will

Renesas Tech Revolution

Revolutionizing India’s Tech Sector with Renesas

Noah Nguyen October 2, 2023

Tushar Sharma, a semiconductor engineer at Renesas Electronics, met with Indian Prime Minister Narendra Modi to discuss the company’s support for India’s “Make in India” initiative. This initiative focuses on

Development Project

Thrilling East Windsor Mixed-Use Development

Johannah Lopez October 2, 2023

Real estate developer James Cormier, in collaboration with a partnership, has purchased 137 acres of land in Connecticut for $1.15 million with the intention of constructing residential and commercial buildings.

USA Companies

Top Software Development Companies in USA

Johannah Lopez October 1, 2023

Navigating the tech landscape to find the right partner is crucial yet challenging. This article offers a comparative glimpse into the top software development companies in the USA. Through a

Software Development

Top Software Development Companies

Noah Nguyen September 30, 2023

Looking for the best in software development? Our list of Top Software Development Companies is your gateway to finding the right tech partner. Dive in and explore the leaders in

India Web Development

Top Web Development Companies in India

Jordan Williams September 30, 2023

In the digital race, the right web development partner is your winning edge. Dive into our curated list of top web development companies in India, and kickstart your journey to

USA Web Development

Top Web Development Companies in USA

Johannah Lopez September 30, 2023

Looking for the best web development companies in the USA? We’ve got you covered! Check out our top 10 picks to find the right partner for your online project. Your

Clean Energy Adoption

Inside Michigan’s Clean Energy Revolution

Grace Phillips September 29, 2023

Democratic state legislators in Michigan continue to discuss and debate clean energy legislation in the hopes of establishing a comprehensive clean energy strategy for the state. A Senate committee meeting

Chips Act Revolution

European Chips Act: What is it?

Lila Anderson September 29, 2023

In response to the intensifying worldwide technology competition, Europe has unveiled the long-awaited European Chips Act. This daring legislative proposal aims to fortify Europe’s semiconductor supply chain and enhance its

Revolutionized Low-Code

You Should Use Low-Code Platforms for Apps

Jordan Williams September 29, 2023

As the demand for rapid software development increases, low-code platforms have emerged as a popular choice among developers for their ability to build applications with minimal coding. These platforms not

Cybersecurity Strategy

Five Powerful Strategies to Bolster Your Cybersecurity

Noah Nguyen September 29, 2023

In today’s increasingly digital landscape, businesses of all sizes must prioritize cyber security measures to defend against potential dangers. Cyber security professionals suggest five simple technological strategies to help companies

Global Layoffs

Tech Layoffs Are Getting Worse Globally

Jordan Williams September 29, 2023

Since the start of 2023, the global technology sector has experienced a significant rise in layoffs, with over 236,000 workers being let go by 1,019 tech firms, as per data

Huawei Electric Dazzle

Huawei Dazzles with Electric Vehicles and Wireless Earbuds

Johannah Lopez September 29, 2023

During a prominent unveiling event, Huawei, the Chinese telecommunications powerhouse, kept quiet about its enigmatic new 5G phone and alleged cutting-edge chip development. Instead, Huawei astounded the audience by presenting

Cybersecurity Banking Revolution

Digital Banking Needs Cybersecurity

Johannah Lopez September 29, 2023

The banking, financial, and insurance (BFSI) sectors are pioneers in digital transformation, using web applications and application programming interfaces (APIs) to provide seamless services to customers around the world. Rising

Show More