Web Service Message-Level Security Research

With the Web Service being widely applied in E-commerce and Enterprise Alliance, security issue becomes more and more important. Security issue has become to one of the factors which stunt the development of Web Service. The main objectives of Information security include confidentiality, integrity, authentication, authorization and non-repudiation and so on. Perfect and reliable protections in security area are necessary for the technology of Web Service to be further popularized in E-commece.The transmission security protocols, for example SSL (Secure Socket Layer) and TLS (Transport Layer Security), have been used widely in communication. These protocols can ensure that the Web Service is security in transmission-level. In other words, Transmission-level security protocols ensure the confidentiality of point-to-point exchange. But transmission security protocols didn't provide any safety operation to the contents of the SOAP messages. In order to ensure the security of end-to-end transmition, some security measures, include encryption and digital signature, would be operated on SOAP message. These security measures could strengthen the Integrity, Confidentiality and Non-repudation.At present, many international standardization organizations include the W3C, the OASIS and the WS-I, have started to research the problem about Web Service security. They have put forward some security standards and norms. After carefully and deeply studying these standards and norms, analyzing the security technology, the writer designed and realized the message level security scheme of Web Service in the J2EE environment. In order to make use of the strongpoints of symmetry encryption technology and asymmetry encryption technology, AES algorithm is used for encryption on the content of SOAP message and RSA algorithm is used for encryption on the key of AES. X509 digital certificate is use for signature on SOAP messages, so that, the Integrity and Non-repudation could be ensured. In this paper, the writer adopts the layered method of J2EE framework to design the security scheme. This method strengthened the merits of better security, to be transplanted easily, good haleness and flexibility. This message-level security scheme adopted J2EE Security Framework and integrated several information security technologies. So that, this scheme ensures the Confidentiality, Integrity and Non-repudation of the SOAP exchanging, provided integrated and reliable security safeguard to the Web Service application.