• Creative Corner
  • Tips
  • Blog
11 August, 2015

Securing Web Services

9series | 1Comment(s)

Security

Nowadays almost all subsystem require to expose or consume data to/from other subsystems & yes, this is outside firewall or VPN. It can be other servers, mobile apps, wearable apps, IOT app or anything else. Exposing the data outside the network or cloud firewall is a very important decision. This became big responsibility for an organisation to make sure all data remain secure as well as rightly accessible. There are three aspects of security from WS point of view – message security, authentication and authorisation. In this article we will talk about first two. Let’s check some thoughts on these aspects.

  • 1. Confidentiality-An approach to make sure all the communication remain confidential. Only client & server should be aware with message content.  There are multiple approaches at different level to maintain confidentiality.
    • SSL– It will add first message level encryption by implementing the same. Implementing client key on WS client will ensure that only authorised client can make successful call to server. Client i.e. mobile client can load the security certificate in the payload. Server can be configured with the approach to not to accept any one who is not signed with right certificates. Only challenge in this approach is to securing client key. There are multiple ways to do that; but it is not focus area of this discussion.
    • Message Encryption– Apart from de-fecto SSL approach. There are multiple approaches to encrypt the message content. That depend on use case and type of data transported to or received from server. But most of the cases putting client side SSL will address the need.
  • 2. Authentication– It will very important to authenticate & authorise the users for request coming from different machines. It can be normal day to day request or it would be simple brute force attack. It become quite interesting to make sure rightful authenticated request. Here are some abstract approach to start with.
    • Basic Authentication– This is easiest and fundamental aspect to securing web services. A simple user name and password is put in HTTP header with Base64 encoding. SSL will make sure that; credentials wont be decoded.
    • Auth 1.0 or Auth 1.0a– This is signature based protocol. Token signed from client and shared to server will be decrypted and verified. Basically it is cryptographic signature. It may use SHA-256 etc.. This approach is well tested and widely used across the glob. By following this approach user can eliminate the need of SSL in first approach. However it comes with extra processing overhead of generate & signing a key, along with complexity.
    • Auth 2.0– Auth 2.0 spec has kept many decision on implementor. This makes this approach diversified, flexible and of-course secure. Lots of tech pioneers i.e. Google, Facebook, Github adopted this approach. Many standard programming frameworks provides inbuilt Auth2.0 supports. In Auth2.0 control of authentication will completely reside on server, nothing is exposed to client except couple of parameters. That does not play significant role in authentication, compare to earlier approaches. Here are the steps for Auth2.0 authentication
      • Naming Convention- User – Resource Owner, API – Resource Server, Third Party App – Client. So process is , resource owner will try to access from resource server through client.
      • Step 1 – Creating App – User need to register an app, as one time process, only basic information require to share i.e. Name, website, logo etc.. For custom restful development this step can be eliminated by hardcoded values.
      • Step 2 – Requesting – when user make a request, it redirect to Auth2.0 server (or process), it do the redirection to different URL. It is advisable do to under SSL to prevent accessing direct authentication URL. This become very crucial for various DDOS attack for authentication to prevent accessing Auth URL.
      • Step 3 – Authenticating – Auth2.0 server will verify few simple things i.e. Authorisation code, implicit (source i.e. Web, WS, Mobile etc.. ), user credentials, client credentials (application client key, if provided). These parameters are used and some of them can be optional.
      • Step 4 – Response – Based on above parameters, a response can be generated. It return access status true/ false and key for subsequent request for particular session.
    • Custom Authentication– There are multiple permutation and combination for authentication based on approaches or Auth 1.0a and Auth 2.0. We at 9series has observed and created many different such authentication mechanism.

Concluding above approach we think that SSL is fundamental need for any WS communication in confidentiality section. While Auth2.0 is widely used but many cases custom authentication is required.

We at 9series believes that, every different use case have different need for security. As it require to match with organisation belief, thought process, policy & compliance with legacy system. Security should not be strict to slow down the process or restrict required access, at the same time security should never be compromised. It is a combination of multiple thought process it start with common sense approach, comply with best practices and empowered from most secured algorithm.

 

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • Easy Methods To Share Files From Host To Docker

  • 9series Inc - Clutch Year In Review 2021

  • A Quick Comparison of Docker vs. VM: Which DevOps Tool is Best?

  • Latest Update on Docker Paid Subscription for Big Enterprise

  • How to Become a Successful Travel Agent in New York

Categories

  • .Net MVC (3)
  • AI Solutions (2)
  • Amazon DynamoDB (1)
  • Android (24)
  • Android App Developers (2)
  • Android app development (7)
  • Angularjs Development (4)
  • Apple (25)
  • Artificial Intelligence (1)
  • Artificial Intelligence Solutions (3)
  • Beacon Technology (4)
  • Best Christmas Offer (2)
  • Blockchain Technology (2)
  • Cloud Service (2)
  • Clutch (1)
  • custom mobile app development services (4)
  • DevOps (1)
  • Digital Marketing (9)
  • Django (2)
  • Docker (11)
  • E-Learning Technology (3)
  • Ecommerce (1)
  • Events (4)
  • Flutter app development (1)
  • GDPR (1)
  • Google I/O (1)
  • Graphic Design (12)
  • html5 developers (2)
  • Human Resource (5)
  • Infographics (33)
  • iOS (21)
  • Laravel Development (2)
  • machine development companies in India (1)
  • Machine Learning (4)
  • Marketing (9)
  • mean stack development (1)
  • Microsoft (11)
  • Mobile App Design (3)
  • Mobile App Development (48)
  • Moodle Development (1)
  • next-generation technology (6)
  • Node.js (2)
  • Online Marketing (1)
  • Open Source (11)
  • open source Javascript framework (1)
  • Opening Ceremony (1)
  • Python (3)
  • Python Development (4)
  • Responsive Website Development (9)
  • SaaS App Development (2)
  • Search Engine Optimization (4)
  • Social Media Marketing (2)
  • Software Development Company (2)
  • Technology (44)
  • Testing (11)
  • Top Laravel Development (1)
  • Travel and Hospitality Technology Solution (4)
  • Typescript (1)
  • UI Design Company India (1)
  • UI Design Services (1)
  • UI/UX Design (10)
  • Uncategorized (11)
  • VueJS (3)
  • Web Application Development (8)
  • Website Design (2)
  • Website Development Company (7)

Archives

  • February 2022  (2)
  • January 2022  (1)
  • October 2021  (2)
  • September 2021  (3)
  • August 2021  (3)
  • July 2021  (1)
  • June 2021  (4)
  • May 2021  (1)
  • April 2021  (2)
  • March 2021  (1)
  • February 2021  (3)
  • January 2021  (1)
  • December 2020  (1)
  • November 2020  (2)
  • October 2020  (2)
  • September 2020  (1)
  • August 2020  (3)
  • July 2020  (2)
  • June 2020  (4)
  • May 2020  (3)
  • April 2020  (4)
  • March 2020  (4)
  • February 2020  (3)
  • January 2020  (2)
  • December 2019  (6)
  • November 2019  (1)
  • October 2019  (4)
  • September 2019  (4)
  • August 2019  (5)
  • July 2019  (3)
  • June 2019  (5)
  • May 2019  (2)
  • April 2019  (2)
  • February 2019  (5)
  • January 2019  (2)
  • December 2018  (2)
  • November 2018  (3)
  • October 2018  (6)
  • September 2018  (6)
  • August 2018  (7)
  • July 2018  (5)
  • June 2018  (5)
  • May 2018  (6)
  • April 2018  (8)
  • March 2018  (2)
  • November 2017  (1)
  • October 2017  (1)
  • September 2017  (3)
  • August 2017  (2)
  • July 2017  (3)
  • June 2017  (5)
  • May 2017  (4)
  • April 2017  (6)
  • March 2017  (8)
  • February 2017  (6)
  • January 2017  (4)
  • December 2016  (3)
  • November 2016  (4)
  • October 2016  (2)
  • September 2016  (3)
  • August 2016  (3)
  • July 2016  (2)
  • June 2016  (3)
  • May 2016  (3)
  • April 2016  (2)
  • March 2016  (3)
  • February 2016  (3)
  • January 2016  (4)
  • December 2015  (3)
  • November 2015  (4)
  • October 2015  (4)
  • September 2015  (5)
  • August 2015  (2)
  • July 2015  (2)
  • June 2015  (5)
  • May 2015  (3)
  • March 2015  (3)
  • October 2014  (4)
  • September 2014  (9)
  • August 2014  (4)
  • July 2014  (6)
  • June 2014  (1)
  • May 2014  (3)
  • April 2014  (2)
  • January 2014  (1)