Message Level Security in Rest Web services
-
26-05-2021 - |
質問
I want to implement two level Security in my REST web services.
Transport layer For point-to-point security (transport layer) i have decided to use HTTPS.
Message layer (end to end) I need the json data(very sensitive) to be in encrypted form which can only be decrypted by intended user.
I need some suggestions how i can implement this? IS there any web standards like WS-Security in SOAP which we can use. I came across JSON Web Encryption (JWE), but not sure would it suffice my objective.
解決
One good approach is that used by Amazon Web Services with their Client-Side Data encryption. The documentation gives a good overview of the way it works, performance characteristics, client-side requirements and implications such as key-management.
AWS Client-Side encryption uses envelope encryption. They data is fast-encrypted using symmetric cipher and the meta-data such as the symmetric key and payload details are encrypted using a slower but more secure assymetric key.
Hope that helps.