SP 800-95, NIST SPECIAL PUBLICATION: GUIDE TO SECURE WEB SERVICES (AUG 2007)
SP 800-95, NIST SPECIAL PUBLICATION: GUIDE TO SECURE WEB SERVICES (AUG 2007)., The advance of Web services technologies promises to have far-reaching effects on the Internet and
enterprise networks. Web services based on the eXtensible Markup Language (XML), SOAP, and related
open standards, and deployed in Service Oriented Architectures (SOA) allow data and applications to
interact without human intervention through dynamic and ad hoc connections. Web services technology
can be implemented in a wide variety of architectures, can co-exist with other technologies and software
design approaches, and can be adopted in an evolutionary manner without requiring major
transformations to legacy applications and databases.
The security challenges presented by the Web services approach are formidable and unavoidable. Many
of the features that make Web services attractive, including greater accessibility of data, dynamic
application-to-application connections, and relative autonomy (lack of human intervention) are at odds
with traditional security models and controls. The primary purpose of this publication is to inform people
about securing Web services. Difficult issues and unsolved problems exist, such as protecting the
following:
􀀟 Confidentiality and integrity of data that is transmitted via Web services protocols in service-toservice
transactions, including data that traverses intermediary services
􀀟 Functional integrity of the Web services that requires the establishment of trust between services on a
transaction-by-transaction basis
􀀟 Availability in the face of denial of service attacks that exploit vulnerabilities unique to Web service
technologies, especially targeting core services, such as discovery service, on which other services
rely.
Perimeter-based network security technologies (e.g., firewalls) are inadequate to protect SOAs for the
following reasons:
􀀟 SOAs are dynamic and can seldom be fully constrained to the physical boundaries of a single
network.
􀀟 SOAP is transmitted over HyperText Transfer Protocol (HTTP), which is allowed to flow without
restriction through most firewalls.
Moreover, Transport Layer Security (TLS), which is used to authenticate and encrypt Web-based
messages, is inadequate for protecting SOAP messages because it is designed to operate between two
endpoints. TLS cannot accommodate Web services' inherent ability to forward messages to multiple
other Web services simultaneously.
The Web service processing model requires the ability to secure SOAP messages and XML documents as
they are forwarded along potentially long and complex chains of consumer, provider, and intermediary
services. The nature of Web services processing makes those services subject to unique attacks, as well
as variations on familiar attacks targeting Web servers.
Ensuring the security of Web services involves augmenting traditional security mechanisms with security
frameworks based on use of authentication, authorization, confidentiality, and integrity mechanisms. This
document describes how to implement those security mechanisms in Web services. It also discusses how
to make Web services and portal applications robust against the attacks to which they are subject. The
following is a summary of security techniques for Web services: Confidentiality of Web service messages using XML Encryption1. This is a specification from the
World Wide Web Consortium (W3C) and it provides a mechanism to encrypt XML documents.
􀀟 Integrity of Web service messages using XML Signature2. This is a specification produced jointly
by the W3C and the Internet Engineering Task Force (IETF). The power of XML Signature is to
selectively sign XML data.
􀀟 Web service authentication and authorization using XML Signature, Security Assertion Markup
Language (SAML) and eXtensible Access Control Markup Language (XACML) as proposed by the
Organization for Advancement of Structured Information Standards (OASIS) group. SAML and
XACML provide mechanisms for authentication and authorization in a Web services environment.
􀀟 Web Services (WS)-Security3. This specification, produced by OASIS, defines a set of SOAP
header extensions for end-to-end SOAP messaging security. It supports message integrity and
confidentiality by allowing communicating partners to exchange signed encrypted messages in a Web
services environment.
􀀟 Security for Universal Description, Discovery and Integration (UDDI)4. Produced by OASIS,
UDDI allows Web services to be easily located and subsequently invoked. Security for UDDI
enables publishers, inquirers and subscribers to authenticate themselves and authorize the information
published in the directory.