How to secure a RESTful php web service with SSL/TLS and/or Message level security

Question

I have a RESTful web service written in php that uses JSON for communication. Some of the data transmitted is really sensitive (passwords) and I am looking for a way to achieve a reasonable security level for the service. The client is a silverlight 4 application.

I have been searching for clear information on how to implement SSL/TLS(I assume that client certificate authentication falls in that category?) and Message level security, but I cannot find good examples regarding the actual implementation of these security measures in a php+json web service. I would be very grateful for any information and practical examples. I am aware of the principles, I am just not very experienced with php. Currently the only security measure that I have in place is a very basic authentication token system, which upon successful login creates a server side session and supplies the user with an authentication token for any further communication(until the session expires or the user connects from a different IP). I really want to at least secure the sensitive traffic such as passwords.

Finally, what are the security issues that I have to look out for after implementing TLS and maybe message layer security, as in vulnerabilities and exploits?

Thank you in advance.

Answer 1

Assuming you have HTTPS properly configured using SSL/TLS your main concern is how to implement authentication for your RESTful service. Since HTTPS will use SSL/TLS to encrypt the communication between client and server encryption is not something you should worry about. If you need to understand how to properly configure SSL/TLS read Understanding SSL/TLS

Best practices for securing RESTful service is already discussed in RESTful Authentication and Best Practices for securing a REST API / web service.

To summarize it discusses 3 options

• HTTP basic auth over HTTPS
• Cookies and session management
• Query Authentication with additional signature parameters.

Another option would be to explore OAuth2 for authentication. If so you can get a good understanding about Oauth2 in Beginner’s Guide to OAuth Part III : Security Architecture

Answer 2

You should already be using SSL to get the authentication established.

Then you can use same token you got after authentication as your secret hash to encrypt/decrypt data back and forth for that connection until it becomes invalid.

If systems are properly locked down (internal) you can skip SSL for encrypted data transfer if you need more speed (as long as original token is generated over SSL, and system is aware what IP the token is assigned to/etc).