Standards for Technology in Automotive Retail

 Home -  News Feed 

10.3. Discussions: Web Services Message-Level Security

STAR Web Services Message-Level Security is based on [WS-Security 2004], [WS-Security 2004Addendum], [XMLDSIG] and [XMLEncryption].

10.3.1. Web Services Authentication Options

STAR Web Services provides five options for Identification and Authentication of a message sender at the Message-Level:

  1. Digital Certificate associated with a Digital Signature on the message

  2. Username with Password hash

  3. Username and Password in clear-text over HTTPS

  4. Username with Password encrypted, enabled by out-of-band Digital Certificate

  5. Binary Security Token shared secret

10.3.2. Digital Signature

Digital Signatures applied to a message MUST be in full compliance with [XMLDSIG], [WS-Security 2004 2004] and [WS-Security 2004Addendum]. STAR RECOMMENDS that digital certificates are the basis for signature and that passwords should not be used as the basis for digital signature.

10.3.3. Username/Password Hash

STAR does not define how a message receiver authorizes a Username / Password. If a Username / Password combination is employed, the message MUST be compliant to [WS-Security 2004]. This option is fully described in [WS-Security 2004], in this option the Password is not sent as a part of the message, instead a hash of the password is calculated from:

  • The Password itself

  • A creation timestamp

  • A nonce

10.3.4. Username/Password Clear-text over HTTPS

STAR Web Services Messages may contain Clear-text Username / Passwords if they are transported over HTTPS. In this option, SSL is providing encryption of all data in transit.

Username / Password Encrypted out-of-band Digital Certificates

In this option, the Username is sent as clear-text and password is sent encrypted in accordance with XMLEncryption and [WS-Security 2004]. The digital certificate required to encrypt the Password is exchanged out-of-band between the receiver and the sender. The sender encrypts the Password using the Receiver's public key as the basis of encryption. The receiver decrypts the password using its private key.

10.3.5. Binary Token Shared Secret

In this option, the parties agree to the format of a binary token that serves as a shared secret, this token is exchanged out-of-band between the parties, and is used as the basis for encryption and decryption of the message.

10.3.6. Security Assertion Markup Language (SAML)

Beginning in 2007 STAR will support SAML as an approved message-level security protocol for  the STAR Web Service.  SAML is an XML-based framework for communicating security and identity information between computing entities. SAML promotes interoperability between disparate security systems by providing a common language and semantics for exchanging security details.

There are currently several versions of SAML in wide use and security appliance vendors may support some versions of SAML but not others.  The STAR Web Service implementation of SAML has been designed to be version-neutral to allow for maximum flexibility for those members wishing to implement it.

For detailed SAML implementation information, please refer to the 2007 edition of the STAR Web Services Specifications document.

10.3.7. Web Services Message-Level Privacy with Data Encryption

It is OPTIONAL for a specific message exchange to be encrypted, but if encryption is applied to a message the message format MUST be in full compliance with [XMLEncryption], [WS-Security 2004].