網路服務安全之操作模型及其語言設計

Abstract

在這篇論文之中，我們提出了一個操作模型，用來支援網路服務(Web Services)的安全性。這操作模型除了滿足基本的安全需求，包括驗證，機密性，完整性及不可否認性外，它也提供了元素層次加密(element-wise encryption)及以時序為基礎的元素次層數位簽章(temporal-based element-wise digital signature)的安全機制。此外，我們所提出的操作模型支援一個具彈性的金鑰規格大綱，可以用來定義三種不同類型的金鑰，分別為靜態金鑰，動態選擇金鑰，以及採用數位簽章的金鑰。服務請求者可以決定使用金鑰的身份，而不需事先和服務提供者協商。在我們所提出來的操作模型中，設計出二種方法，可以用來減少系統開發與維護的成本：(1)我們定義了一個網路服務安全語言(Web Services Security Language,WSSL)，將網路服務中的服務實作與安全政策的規格分開。(2)藉由為網路服務安全語言設計的應用程式界面(Application Programming Interface, API)來支援我們所提供的操作模型。最後，實作所提出的系統並且量測其效能，以展示其操作模型的可行性。

In this paper, we propose an operational model to support the security of Web services. In addition to satisfying the basic security requirements, including authentication, confidentiality, data integrity, and nonrepudiation, the proposed model supports security mechanisms such as element-wise encryption and temporal-based element-wise digital signatures. Furthermore, the proposed model supports a flexible key specification scheme called explicit key definition, which can be used to define three different types of keys: static keys, dynamically selected keys, and keys applied to digital signatures. The service requester can determine the identity of the keys used without negotiating with the service provider. The proposed operational model is designed to reduce the costs of system development and maintenance in two ways: (1)by separating service implementation and specification of the security policy for Web services, and (2) by using a specially designed application programming interface to support the proposed operational model. The implementation and experimental results demonstrate the feasibility of the proposed system.