Message security overview

Message-level security (securing web services at the message level), addresses security requirements, including: identity, authentication, authorization, integrity, confidentiality, nonrepudiation, and basic message exchange. The message-level security process uses many of the same mechanisms to provide security as transport-level web security does, including digital certificates, encryption, and digital signatures.

With message-level security, the message either contains the information needed to secure or contains information about where to get that information to handle the security needs. The message also contains information that is relevant to the protocols and procedures that are processing the specified message-level security. Message-level security is not tied to any particular transport mechanism, and because the security information is part of the message, it is independent of a transport protocol (such as HTTPS). A messaging service securely and reliably packages and transmits electronic messages from one partner to another. Messaging services are a crucial intermediary between data transport protocols (such as HTTP or HTTPS) and AS4 Microservice. Transport protocols provide for the exchange of raw data and define the endpoints (URLs) that partners use to communicate with one another. Then, a messaging service (such as AS4) physically generates the messages and delivers them to the specified partner endpoint in a reliable and secure manner.

The sender (producer) of a message adds security information that applies to that particular message to the message header. When the message is received, the consumer endpoint uses the security information in the header to verify and validate the message. For example, the service endpoint might verify the message signature and validate that the message is the original that was sent. You can add signature and encryption information to the message headers, as well as other information such as security tokens to confirm identity (for example, an X.509 certificate) that are bound to the message content.

Without message-level security, the message is sent in clear text, and personal information such as a user ID or an account number is not protected. Without applying message-level security to SOAP messages, there is only a SOAP body under the SOAP envelope in the SOAP message. By applying features from the WS-Security specification, the SOAP security header is inserted under the SOAP envelope in the SOAP message when the SOAP body is signed and encrypted.

To keep the integrity or confidentiality of the message, you can apply digital signatures and encryption to the message. At a minimum, you should sign the message body, security, and addressing headers. Also, you can add an authentication mechanism by inserting various types of security tokens, such as the User name token (element). When the User name token is received by the message consumer, the user name and password are extracted and verified. If the user name and password combination are valid, the message is accepted and processed at the server. Using security tokens for basic authentication also provides access control to message pull channels.

In AS4 Microservice, support for message-level security is provided though the WS-Security standards found in ebMS, including a combination of XML digital signatures and XML encryption. Signing and encryption are primarily accomplished with X.509 security tokens for authenticating messages, securing privacy, and ensuring the tamper-proof data transmission. These integrity and confidentiality security mechanisms also prevent message alteration and eavesdropping. Additionally, you can prevent replay attacks by using message time stamps.

XML digital signatures and XML encryption provide the ability to:

• Selectively encrypt and protect the integrity of parts of a message without needing to encrypt the entire message. You can also secure different parts of a message can be secured with different methods. For example, you can use integrity (by applying a digital signature to the entire message) on the security token and confidentiality (specifying which message parts within the generated message must be encrypted) on the message body.

  Protect data without encrypting it.

  Construct overlapping digital signatures that use different keys.

  Digitally sign and encrypt data in the sequence that your application dictates.

However, using XML digital signatures and encryption (either separately or in conjunction) may create potential security implications.

• XML digital signature security overview

• XML encryption security overview