Confidentiality in Web Services Security
Confidentiality, in relation to Web services security, is necessary to provide protection against the interception of sensitive information and transactions. The method of protection against this type of information theft is known as encryption.
The purpose of encryption in Web services security is to make the transmitted data inaccessible or incomprehensible while it is being transmitted, ensuring the confidentiality of the data transmission.
The implementation process for XML encryption using WebSphere® Application Server Toolkit is described in detail in the encryption wizard task referenced below in the related links section. After following the steps in this wizard, information transmissions will be encrypted before they are sent over the Web service and decrypted when they arrive at the appropriate destination. The only way to access the encrypted information is with the proper key. This ensures that the transmission is being received by the intended party.
The following examples are common forms of confidentiality security:
- message level security
- secure sockets layer (SSL)
- transport-layer security (TLS)
Security risks of Web services with no confidentiality
Without confidentiality protection, attackers can eavesdrop to intercept SOAP messages and read all of the information contained therein. Classified information and transactions are frequently transmitted using Web services. Therefore, it is important to maintain a secure transmission so that this type of eavesdropping by unauthorized parties is eliminated.
Related concepts
Authentication in Web services security
Integrity in Web services security