1

I want to implement two level Security in my REST web services.

  1. Transport layer For point-to-point security (transport layer) i have decided to use HTTPS.

  2. Message layer (end to end) I need the json data(very sensitive) to be in encrypted form which can only be decrypted by intended user.

I need some suggestions how i can implement this? IS there any web standards like WS-Security in SOAP which we can use. I came across JSON Web Encryption (JWE), but not sure would it suffice my objective.

morten.c
  • 3,414
  • 5
  • 40
  • 45
shashankaholic
  • 4,122
  • 3
  • 25
  • 28
  • Why doesn't HTTPS suffice for both needs? – Brian Kelly Mar 26 '12 at 12:56
  • Using HTTPS, the message is protected only while in transit. Our objective is that the message encryption will be different for every user using the application, and can be decryptd by intended use only. – shashankaholic Mar 27 '12 at 05:41
  • If you are looking for library suggestions you will need to say what platform you are using and the same for your client(s). Obviously you need to make it easy for your clients, so you need to say what they will be using to reach your service - just a web browser? – Paul Jowett Mar 27 '12 at 06:54
  • @jowierun If it helps i will be using Jersey for making my web services and client(s) would be limited profile devices smartphones/pDAs (any platform). But more than a library i am looking for approach. Just as it is done with WS-Security in SOAP. – shashankaholic Mar 27 '12 at 07:19

1 Answers1

1

One good approach is that used by Amazon Web Services with their Client-Side Data encryption. The documentation gives a good overview of the way it works, performance characteristics, client-side requirements and implications such as key-management.

AWS Client-Side encryption uses envelope encryption. They data is fast-encrypted using symmetric cipher and the meta-data such as the symmetric key and payload details are encrypted using a slower but more secure assymetric key.

Hope that helps.

Paul Jowett
  • 6,513
  • 2
  • 24
  • 19
  • Thanks. For giving a head start. Key management will be a major challenge in this. Another challenge is the different platforms(iOS,Android,HTML5) from which REST web services will be invoked unlike JAVA SDK for aws. Any ideas. – shashankaholic Mar 28 '12 at 19:08
  • Hi shashankaholic, I don't have any suggestions about doing client-encryption across a range of platforms and languages other than suggest it is going to be a big task. If you can stick to something coming (like HTML5) as your client-side option then you've greatly simplified your problems. – Paul Jowett Mar 29 '12 at 08:30