1. Field of the Invention
The present invention relates to an information security technology, and more particularly, to a message security processing system and method for Web services.
2. Description of the Related Art
Web services Technology is a widely used process for linking a client and a server using web standard technologies such as the extensible markup language (XML), the hypertext transfer protocol (HTTP), the simple object access protocol (SOAP), the Web service description language (WSDL), the universal description discovery and integration protocol (UDDI).
In the Web services, the SOAP is used for exchanging messages. The SOAP is a protocol based on the XML supporting remote procedure call (RPC) and messaging in all network protocols, and more particularly, in the HTTP. Since the SOAP is a protocol based on the XML instead using a binary format, flexibility between platforms, programming languages, and component models is excellent.
Since Web services and the SOAP are widely applied to high security application services such as e-commercial transactions, an information security technology for the Web services is very important. To support a message level security for the Web services, the Organization for the Advancement of Structured Information Standards (OASIS) has been standardizing Web services security (WS-Security).
In a SOAP message security standard, standards for authentication, integrity, confidentiality, and non-repudiation of SOAP messages and a standard for exchanging a security token are defined. To support the authentication, integrity, and non-repudiation of SOAP messages, XML Signatures developed by the world wide web consortium (W3C) are expanded and applied to the SOAP message security standard, and to support the confidentiality, XML Encryption developed by the W3C is expanded and applied to the SOAP message security standard, and to exchange information such as a public key, various formats of security tokens are defined. To prevent a replay attack, a function related to a timestamp is also added to the SOAP message security standard.
In the SOAP message security standard, a digital signature for a message to be protected is generated using an XML Signature method and stored in an XML element called a security header included in a SOAP header, and a cipher text for a message for which confidentiality is required is generated in the form of XML using an XML Encryption method and stored in the security header element or a SOAP body. Also, public key information to verify the digital signature is stored in a security token element in the security header and transmitted to a destination system. Since a timestamp for the generated SOAP message also can be stored in the SOAP header, a replay attack can be detected using the timestamp in an application.
A method of transmitting messages using the SOAP is divided into a SOAP RPC method and a SOAP messaging method. In the SOAP messaging method, a SOAP message, which an application program intends to directly transmit, is built and transmitted by the application program. On the other hand, in the SOAP RPC method, if an application program calls a function in a remote server as the application program calls a function in a local server without directly generating a SOAP message, a SOAP engine transforms the function call into the SOAP message and transmits the message to the remote server. The SOAP RPC method is very convenient since the application program does not have to directly transform a parameter to be transmitted into a SOAP message. Here, to protect a SOAP message to be transmitted, the application program must access the SOAP message and perform a digital signature process and an encryption process on the SOAP message. However, since the application program cannot directly access the SOAP message in the SOAP RPC method, it is difficult to apply a security module to the SOAP RPC method.
Also, to protect a SOAP message, information protection processes, such as digital signature, encryption, and timestamp insertion, must be combined with various formats and processed according to various options in response to needs of an application program, and a general and simple security processing method must be provided.
However, in conventional SOAP message security standards, only a syntax in which information related to security is added to a header of a SOAP message and a processing of the information are clearly stated, and a solution of problems described above is not stated.