The Crux of SOAP Encryption
Probe even deeper into .Net's encryption functions
for encrypting sensitive parts of a SOAP message
by Dan Wahlin
December 2002 Issue
You can use .Net classes to create a custom Simple Object Access Protocol (SOAP) encryption application to protect sensitive information sent from a client to a Web service (see "Encrypting SOAP Messages in .Net," XML & Web Services Magazine, October/November 2002). The application relies on public and private keys for the encryption and decryption of SOAP messages. It also has built-in capabilities for logging SOAP requests and responses to a file for debugging purposes. Check out the processes that are part of the encryption application (see Figure 1).
Consider these details about the classes within the application:
- A custom PublicKeySoapHeader SOAP header class receives the public key from the client of the Web service and ensures it contains data. By adding this header class into the Web service, the client can pass data easily within a SOAP header using only a few lines of code.
- A custom ParamEncryptionExtensionAttribute SOAP extension attribute class is applied to a Web service method.
- A custom ParamEncryptionExtension SOAP extension class accesses data from the SOAP extension attribute class and performs the encryption to the proper parts of the response SOAP message by using the public key passed in the SOAP header by the client.
- A Web service proxy class used by the client will include the PublicKeySoapHeader.
We'll focus on the ParamEncryptionExtension class and the client Web service proxy. You'll see how a public key can be generated, sent in a SOAP header, and used to encrypt specific parts of SOAP messages (rather than the entire message).
It's important to note that at the time the October/November 2002 issue's .Net Domain column was written, WS-Security (a collaborative Web service security specification created by Microsoft, IBM, and VeriSign) was simply a document. There was not a concrete set of classes that could be used in .Net to implement WS-Security features such as XML Encryption. With the release of Microsoft's Web Services Development Kit (see Resources), you now have a powerful way to encrypt SOAP messages using a more standards-based approach.
Is the custom SOAP encryption solution presented here a waste of time, then? Certainly not! Although it is recommended that you leverage WS-Security whenever possible in your Web service applications, the more advanced concepts that I'll introduce will help you gain a greater understanding of what goes on behind the scenes with Web services and also teach you a thing or two about how to use cryptography in the .Net platform.
Back to top