Confidentiality and integrity are two critical components of web services. While confidentiality can be ensured by means of encryption, the encrypted data can still be overwritten and the integrity of the message can be compromised. It is equally important to protect the integrity of the message, and digital signatures can help protect the integrity of the message. In this article, I describe how to digitally sign and verify messages in web services using Oracle Web Services Manager, which is a component of Oracle's SOA Suite -- a web services security and monitoring product that helps organizations not only to define and enforce security policies, but also to define and enforce the service level agreements. And one of the key components of Service Oriented Architecture is security.
Overview of Digital Signatures
In the web services scenario, XML messages are exchanged between the client application and the web services. Certain messages contain critical business information and, therefore, the integrity of the message should be ensured. Ensuring the integrity of the message is not a new concept, it has been there for a long time. The concept is to make sure that the data was not tampered with in transit between he sender and the receiver.
Consider, for example, that Alice and Bob are exchanging emails that are critical to business. Alice wants to make sure that Bob receives the correct email that she sent and no one else tampered with or modifi ed the email in between. In order to ensure the integrity of the message, Alice digitally signs the message using her private key, and when Bob receives the message, he will check to make sure that the signature is still valid before he can trust or read the email.
What is this digital signature? And how does it prove that no one else tampered with the data? When a message is digitally signed, it basically follows these steps:
- Create a digest value of the message (a unique string value for the message using a SHA1 or MD5 algorithm).
- Encrypt the digest value using the private key, known only to the sender.
- Exchange the message along with the encrypted digest value.
Note: MD5 and SHA1 are message digest algorithms to calculate the digest value. The digest or hash value is nothing but a non-reversible unique string for any given data, i.e. the digest value will change even if a space is added or removed. SHA1 produces a 160-bit digest value, while MD5 produces a 128-bit value.
When Bob receives the message, his first task is to validate the signature. Validation of signature goes through a sequence of steps:
- Create a digest value of the message again using the same algorithm.
- Encrypt the digest value using the public key of Alice (obtained out of band or part of message, etc.)
- Validate to make sure that the digest value encrypted using the public key matches the one that was sent by Alice.
- Since the public key is known or exchanged along with the message, Bob can check the validity of the certificate itself.
Note: Digital certificates are issued by a trusted party such as Verisign. When a certificate is compromised, you can cancel the certificate, which will invalidate the public key. Once the signature is verifi ed, Bob can trust that the message was not tampered with by anyone else. He can also validate the certificate to make sure that it is not expired or revoked, and also to ensure that no one actually tampered with the private key of Alice.
Digital Signatures in Web Services
In the last section, we learned about digital signatures. Since web services are all about interoperability, digital-signature-related information is represented in an industry standard format called XML Signature (standardized by W3C). The following are the key data elements that are represented in an interoperable manner by XML Signature:
- What data (what part of SOAP message) is digitally signed?
- What hash algorithm (MD5 or SHA1) is used to create the digest value?
- What signature algorithm is used?
- Information about the certificate or key.
In the next section, I describe how the Oracle Web Services Manager can help generate and verify signatures in web services.