近年來網際網路服務(Web Service)技術逐漸被廣泛開發及採用,網際服務提供了以XML為基礎的訊息格式,解決了異質平台溝通及不同應用軟體間整合的問題,而其模組化的結構,也帶來更高的可重用性(Reusability)。 然而,安全性是Web Service成功的必要保證,所以要實現安全之企業級的網路服務,Web Service應該要能滿足以下之安全性基本要求: 1.鑑別性:認證鑑別以確保存取應用程式及資料之人,是經過授權的。 2.機密性:資料在網際網路上傳播時不應該被第三方看到。 3.完整性:雙方必須能夠確定被傳送的資料沒有被篡改。 4.不可否認性:雙方必須能夠確定信息的來源為聲稱者。 透過Web Service模型核心技術之可擴充性,如SOAP、WSDL、SSL傳輸加密、XML數位簽章(XML Digital Signature)以及XML加密(XML Encryption)等基礎技術,允許服務提供者(Service Provider)與服務請求者(Service Requester)開發符合應用程式之安全需求。 本文將分析幾種認證及加密技術,並藉由企業間電子商務活動,如訂單與發票等商業行為,來實作一種安全有效的加解密及數位簽章與認證技術,以實現網路交易之安全性,如鑑別性、機密性、完整性以及不可否認性之要求。 Recently, web service technology is developed and utilized widely. However, the web service security, a significant factor to assure successful web service adoptation, is always overlooked. There are four basic issues must be addressed and satisfied to meet the requirents of web service security: 1. Identification: to authenticate and identify the one who will access web services, or to authorize the application which will interoperate with web services. 2. Confidentiality: the date delivery on the internet would not be explored or intercepted by third party. 3. Integrity: both the transmitter and the receiver must make sure the data on communication is not be tampered. 4. Non-repudiation: both the transmitter and the receiver can recognize that the source of message is the claimer. Based on technogies related to web service security, such as SOAP, WSDL, SSL encryption, XML digital signature, XML encryption, and single sign-on, we build an E-Shop as testbed to fulfill the above issues and demonstrate how to establish a secure service-based application.
