Message Level Security in Rest Web services

About

Asked 26/3, 2012 at 9:40 Answered 28/3, 2012 at 1:56

Solved json web-services security rest jwe

I want to implement two level Security in my REST web services.

Transport layer For point-to-point security (transport layer) i have decided to use HTTPS.
Message layer (end to end) I need the json data(very sensitive) to be in encrypted form which can only be decrypted by intended user.

I need some suggestions how i can implement this? IS there any web standards like WS-Security in SOAP which we can use. I came across JSON Web Encryption (JWE), but not sure would it suffice my objective.

Dyspepsia answered 26/3, 2012 at 9:40 Comment(4)

Why doesn't HTTPS suffice for both needs? – Howell 26/3, 2012 at 12:56

Using HTTPS, the message is protected only while in transit. Our objective is that the message encryption will be different for every user using the application, and can be decryptd by intended use only. – Dyspepsia 27/3, 2012 at 5:41

If you are looking for library suggestions you will need to say what platform you are using and the same for your client(s). Obviously you need to make it easy for your clients, so you need to say what they will be using to reach your service - just a web browser? – Whall 27/3, 2012 at 6:54

@jowierun If it helps i will be using Jersey for making my web services and client(s) would be limited profile devices smartphones/pDAs (any platform). But more than a library i am looking for approach. Just as it is done with WS-Security in SOAP. – Dyspepsia 27/3, 2012 at 7:19

One good approach is that used by Amazon Web Services with their Client-Side Data encryption. The documentation gives a good overview of the way it works, performance characteristics, client-side requirements and implications such as key-management.

AWS Client-Side encryption uses envelope encryption. They data is fast-encrypted using symmetric cipher and the meta-data such as the symmetric key and payload details are encrypted using a slower but more secure assymetric key.

Hope that helps.

Whall answered 28/3, 2012 at 1:56 Comment(2)

Thanks. For giving a head start. Key management will be a major challenge in this. Another challenge is the different platforms(iOS,Android,HTML5) from which REST web services will be invoked unlike JAVA SDK for aws. Any ideas. – Dyspepsia 28/3, 2012 at 19:8

Hi shashankaholic, I don't have any suggestions about doing client-encryption across a range of platforms and languages other than suggest it is going to be a big task. If you can stick to something coming (like HTML5) as your client-side option then you've greatly simplified your problems. – Whall 29/3, 2012 at 8:30

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags