SOA building blocks IV – Security elements
03/30/2010 2:13 am By Nuwan Bandara | Articles: 6
With my last article I have explained in detail how SOA/Web-services security changes from the traditional security model. I wrapped up the article by defining some key elements of security which is involved with web services based architectures which is namely, authentication, authorization, integrity, confidentiality, and non-repudiation. With today’s article let’s focus on these elements and have a better understanding.
1. Authentication
Authentication is not a new methodology for any discipline, regardless it is the computational world people need to be authenticated in certain cases. In such situations, usually we identify another person using an identification card issued by the government or a recognized body. In the computational world we can use the famous username, password combination, or a pin number with a username or an id card (ATM cards etc), or for advanced secure scenarios we can use fingerprint scans, retinal scans etc. However for authentication, considering multi factors are treated safer than single factor authentication. For instance a fingerprint scan with a username, password combination will be extremely hard to compromise.
2. Authorization
Authorization is also considered quite important in many service oriented scenarios, if we take a large organization as an example, different services are definitely aimed at different people, and they are categorized to roles depending on their responsibilities and titles. Hence services are secured based on access roles and this is called authorization. It can be the same service which is accessed by a normal employee and the CEO. However the information provided by the service will be different according to the role that the services is accessed by.
3. Confidentiality
Confidentiality is about ensuring that the provided information is only accessed by the parties that are authorized. To ensure confidentiality, in SOA scenarios encryptions are used. In my previous article I have explained about end-to-end and point-to-point security with regard to transport level security (https) and message level security. Confidentiality is ensured by using both of these mechanisms. For such encryption the public key infrastructure is heavily used. What is important to note is the encryption algorithm where depending on that the communication speed is heavily dependent. The norm is that asymmetric key algorithms are thousands of times slower than symmetric key algorithms.
Figure 1: Public key infrastructure based encryption
4. Integrity
Integrity is the assurance that the data is not tampered or changed without authorization. This is ensured by a MAC (Message Authentication Code i.e. HMAC) id which is attached to a message. The sender of the message can generate a unique code (using a shared secret key + Message) and attach it to the message where the recipient can verify the message with the code.
Figure 2: Dynamics of MAC
5. Non-Repudiation
Ensuring non-repudiation provides a set of information in message communication such as that the sender cannot deny that he did not send it and also the origin of the message. Digital signature is used to ensure non-repudiation in message communication. Usually to ensure non-repudiation a certificate authority is involved. When a message is send from A to B, the message (Hash) will be encrypted with A’s private key and that will be sent along with the certificate to B, where B will decrypt the signature with A’s Public key and compares the hash with the message hash. While these two are equal the message’s origin can be identified.
Figure 3: Non-repudiation
The above explained are the main elements involved with web services / SOA security model. By using all/any of these mechanisms the SOA architecture can achieve the expected amount of security, with a great strength.
In our next article we will look in to SOA integration and integration patterns.
Post new comment