Study On A Simple WEB Service Secure Communication Model

The WEB service technology has progressed rapidly with the widespread of Internet. It inherits existing system framework and implementation technologies and presents an application system integration technology on different platforms, protocols and programming languages. To solve the security issue of WEB service communication, a simple WEB service secure communication module is presented.The client inserts authentication element and anti-replay element in the SOAP messages it sends, and secures them with XML encryption and XML digital signature technology. The server performs authentication, decryption and signature verification on receiving the SOAP messages, and based on the anti-replay element in the message, the server can decide whether the message is from replay attack or not, and handles the message based on the result.The authentication, encryption and digital signature are handled nicely with matured XML security technologies. A new way of replay attack resistance is presented. The client inserts anti-replay element in the SOAP messages it sends, the element has three child elements, namely GUID, ID and maxID. The value of GUID is globally unique, the combination of GUID and ID ensures that identifications for each SOAP message is unique. maxID is the maximum value of ID that applies to current GUID.The server records the anti-replay element data in the SOAP messages it receives, creates and maintains an array for every GUID that it gets from the client. The capacity of the array is the corresponding maxID value, and status of corresponding ID values are recorded in the arrays. The server can judge if an incoming SOAP message is from replay attack or not based on the values of these arrays.The WEB service secure communication model can satisfy the basic requirements of secure communication, and performs replay attack resistance efficiently. The module can be applied in the WEB service applications that requires higher security guarantee. As for the replay attack, the module is easier to implement when compared with traditional timestamp method. And it can greatly reduce the data exchange when compared with traditional challenge and response technology, thus get higher efficiency. It's a WEB service secure communication module that is both simple and efficient.