|This page demonstrates some of the technologies for
secure SOAP transactions. It shows that how SOAP transactions/messages can
be strongly protected through digital signature and encryption.
Authentication: Users of SOAP services can be authenticated in
many different ways including token-based authentication and digest
authentication. Token based authentication requires users to
supply credentials through a secure channel. SOAP servers respond with an auth token which can be used for all subsequent
Digital Signature: Signature is a way of ensuring
integrity of a document. SOAP messages, wholly or in part, are
first digested. The digest is a hash value equivalent to a human fingerprint. The digest,
along with other sensitive data, is then digitally signed using the
senders certificate and then encrypted using the receiver's public
key. Because the signature is encrypted using the
receiver's public key, only the receiver can decrypt it and verify
the signature and message digest. Any tampering during the
transmission will lead to a signature/hash verification failure. XML
Signiture (XML-DSIG) is a W3C recommendation that defines the rules for
digital signature processing and the structure of the XML
Data Encryption: Sensitive data can also be encrypted
using either session keys or public/private key. Even the message
is sent in the clear, the part that is encrypted will be
opaque and difficult to crack. The W3C draft, XML
Encryption, defines the process and format of the encrypted
The form below demonstrates how SQLData SOAP server and client
support XML Signature (XML-DSIG), SOAP Security Extensions (SOAP-DSIG)
and XML Encryption. Both request and response of the following
method are signed and verified by the SOAP client and server. In
addition, the first parameter
(bstrParam1) value is encrypted before sending to server;
and the returned value from the server is also encrypted.
*Choose either Request or Response to
see the corresponding message.
- The sender generates a session key
(either random or derived from a secret).
- Data objects are encrypted using
the session key.
- The key is then encrypted using the
receiver's public key and inserted into the message as the key
- The receiver recovers the encrypted
session key using its private key.
- Data is then decrypted using the
decrypted session key.
Note that the whole process is transparent to both the SOAP
client and the server component. The client continues to add data
into the call as usual; and the server component, the actual
service provider, receives decrypted parameters as inputs. The
SOAP security features are added automatically by a security
component inside the message serializer/deserializer.