Chapter 4: Security 25
The common security attacks described in Appendix C (“Common Security Attacks”) include
a base taxonomy of system threats that you should carefully consider when choosing Web ser-
vices security features.
The remainder of this chapter explores the application of the Web services security model.
Three key topics are securing communications, securing applications, and identity propaga-
tion in a federation. A secure message transport is not assumed, nor is it necessary for secure
Message Integrity and Confidentiality
Message-level security is the key building block for end-to-end security. When using message-
level security, no transport-level security is required. Requirements for message-level security
are message integrity, message authentication, and confidentiality. Message integrity ensures
that a message cannot be changed without detection. Use of XML Signature [XMLSIG]
ensures that message modifications can be detected.
Message authentication identifies the principal that sent the message. If public key encryption
is used, the unique identity of the principal can be determined. The use of public key encryp-
tion with keys certified by a trusted source provides this authentication. However, if symmet-
ric key encryption is used, this is not the case—only the group of principals that know the
shared secret can be identified.
Message confidentiality ensures that a message cannot be read by an unauthorized third party
during transmission. SOAP messages are kept confidential through the use of XML Encryp-
tion [XMLENC] in conjunction with security tokens.
Mechanisms for integrity, authentication, and confidentiality take the original message (or
parts of the message) as input and produce appropriate data (such as a checksum) as output.
For example, the signature of an XML element could, in a simple case, be implemented as the
asymmetric encryption of a hash of all the characters of the XML element. This encrypted
hash could then be stored and transmitted in the message.
XML documents can be thought of as strings of characters. The character-by-character com-
parison is critical in security operations such as XML signatures. A one-character difference is
a different result. Serialization is the method used to represent objects “on the wire.” For
example, serialization is used to create the XML representation of a SOAP message. Any ines-
sential typographical variations produced by different serialization software are ignored by
message-processing software but significantly impact the security software. The Infoset repre-
sentation of an XML message ameliorates this issue. For XML signatures to work, messages
must be transformed to an XML form that is consistent for all parties. Canonicalization is the
term used to describe the method used to produce a consistent view of the noncritical infor-
mation, such as line breaks, tab spaces, ordering of attributes, and the style of closing tags. Sig-
natures include the canonicalization method used to enable the recipient of a message to