The Hogg Blog : Web service security - Threats and Countermeasures - Part 1 : Message Protection

Web service security - Threats and Countermeasures - Part 1 : Message Protection – Integrity and Confidentiality

Threats

Network eavesdropping leads to disclosure of confidential information
An attacker manipulates a message in transit influencing the service’s behavior

Vulnerabilities

Lack of end to end encryption when sending SOAP messages
Lack of a digital signature to verify authenticity of a SOAP message

Countermeasures

Message Protection Design Patterns:
- Data Origin Authentication - See http://msdn.microsoft.com/practices/default.aspx?pull=/library/en-us/dnpag2/html/wss_ch2_intro.asp
- Data Confidentiality - See http://msdn.microsoft.com/practices/default.aspx?pull=/library/en-us/dnpag2/html/wss_ch2_intro.asp
Message Protection Composite Implementation Patterns
- For Direct authentication, Kerberos and X.509 see http://msdn.microsoft.com/practices/default.aspx?pull=/library/en-us/dnpag2/html/wss_ch3_intro.asp

You might also notice that the implementations for these patterns are grouped together so that we are demonstrating implementation not just of data confidentiality but also data origin authentication. This is intentional. An encrypted message can still be tampered with - so we recommend you implement both of these patterns at the same time...

Hope to post another entry on Monday...

Published Sunday, December 18, 2005 12:07 PM by Jason Hogg

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

No Comments

Title (required)
Name required
Your URL
Comments (required)

Enter Code Here: Required
Remember Me?

The Hogg Blog

This Blog

Syndication

Search

Tags

News

Archives

Articles

Windows Azure

Web service security - Threats and Countermeasures - Part 1 : Message Protection – Integrity and Confidentiality

Comment Notification

Comments

Leave a Comment