Microsoft’s .NET Framework provides support for the key Web service security requirements—authentication, authorization, data protection, and nonrepudiation. These features are used to secure Web service transactions from prying eyes. The .NET Framework provides all the necessary tools for the developer. I’ll discuss how the .NET platform and .NET-based servers provide support for these Web service security requirements.
Web service security refresher
Did you miss our recent article on Web service security? Read “Top 10 Web service security requirements.”
CLR—the base of the .NET platform
The .NET Framework’s security solution is built on the concept of managed code, in which the security rules are enforced by the common language runtime (CLR). CLR enables execution of both managed code, which is typically verified for type safety and disciplined behavior of other properties, and unmanaged code, which requires special privileges and permissions to run.
Let’s review how Microsoft .NET Framework supports the security requirements for Web services.
For authentication, the .NET Framework supports various authentication methods, including Microsoft Windows OS identity authentication, HTTP, Message Authentication Codes (MACs), Digest, Kerberos, and Microsoft Passport.
In basic HTTP authentication, the authentication information passed over the network is not encrypted. This mechanism should only be used for Web services in enterprise application integration (EAI) projects.
Message Authentication Codes
A MAC is an authentication tag, also called a checksum, which is derived by applying an authentication scheme, together with a secret key, to a message. However, it’s not foolproof since a hacker can also generate these codes and misuse them.
Kerberos is a network authentication protocol. It’s the .NET Framework’s default authentication security protocol. The Kerberos protocol uses strong cryptography so that a Web service requestor can prove its identity to a Web service provider, and vice versa, across an insecure network connection such as the Internet.
In the future, the .NET Framework will support Passport and cookie-based authentication for Web services. Microsoft's Passport identity service stores sensitive consumer information on Microsoft's servers. This will restrict Passport’s use since companies will be unwilling to give Microsoft control of sensitive authentication information.
COM components (or managed classes) are often used to implement the business logic of XML Web services. The .NET Framework lets you define authorization security on these components administratively and/or programmatically.
In the .NET Framework, developers, system administrators, and component creators can define role-based security for components. A role corresponds to a specific set of access rights and privileges. Role-based security is defined using administrative tools and configuration settings.
In the .NET Framework, a component may contain all the implementation business logic for the Web service. You can define component security programmatically, including client’s permissions and privileges. Based on specific permissions and privileges, such as authority to read and write files and environment variables, a certain part of the component’s code is executed.
For data protection, the .NET Framework supports cryptography, encryption, digital signatures, secured socket layer (SSL), Kerberos, hashing, and random-number generation.
Cryptography protects the privacy of sensitive information transmitted over the Internet. Through the use of sophisticated mathematical formulas and computer algorithms, it ensures that the information is not intelligible if it falls into the wrong hands. The .NET Framework provides CryptoAPI, an API that is provided as a part of Windows and that includes such features as data encryption; support for PKCS #10, PKCS #7, X.509; and the capability to add and retrieve certificates from certificate stores. The CryptoAPI allows .NET developers to easily integrate security within their applications through a common programming model (API).
After a Web service requestor and provider have used Kerberos to prove their identity, they can also programmatically encrypt all of their communications to ensure privacy and data integrity, and exchange XML-based messages.
Microsoft’s .NET Framework supports the use of digital signatures as a security solution. Digital signatures are the electronic equivalent of pen-and-paper signature; they authenticate the sender of the message. Digital signatures provide a means by which information cannot be repudiated by binding communication to the originating entity (signature). They also guarantee that the message hasn’t been modified since it left the sender. Digital signatures rely on public key systems. Therefore, public keys are readily available. Encrypted information is sent with the public key, and the recipient uses a private key to decrypt the data. RSA is one example of a key provider.
In the future, Microsoft’s .NET Framework will also support the XML Signature specification, an XML-based language for representing digital signatures.
Microsoft’s .NET Framework supports SSL to encrypt authentication information and data for HTTP and NNTP transmissions. SSL is the cornerstone security technology for the use of single-level Web services in the business-to-business integration (B2Bi) domain. Single-level means that there is only one Web service provider and one Web service requestor. SSL can secure the entire channel between these two entities end to end, so that none of the devices in the channel, such as computers and routers, can interpret or maliciously corrupt the information flowing through them in the form of encrypted XML documents.
However, the use of SSL for multilevel Web services in the B2Bi domain is very limited. Multilevel implies the participation of multiple entities in the use of a Web service, where each entity can interpret and modify the data. Encryption and reencryption of data at each entity is not a viable solution because it severely slows the performance of the entire system. XML signatures will be useful in such scenarios.
Nonrepudiation ensures that the different entities involved in a Web service can’t deny that an authenticated or digitally signed bit of information came from them. This validation provides greater confidence in the data confidentiality process, an important factor in the wide adoption of Web services in the future. The sender and receiver authentications must also be performed to guarantee nonrepudiation apart from Web service requests and response message authentications. In the .NET Framework, all Web service transactions can be digitally signed and stored in a tamper-proof audit trail. Furthermore, all transactions can be fully traced and profiled.