Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

REST APIs and message level security

I need to implement message level security in a REST API and have some concerns and questions. I found the answer here: Message Level Security in Rest Web services

only partially helpful.

We currently support standard SSL transport security and several authentication methods including:

  • Basic http auth (required by some network equipment services that talk to our API's)
  • HMAC with pre-shared secrete key in both SHA1 and SHA256 flavors.
  • Client identity certs sent @ the TLS level.
  • SAML 2.0

Why we need message level security because:

  • Customer industries include health care, financial and government, among others, and they often frown on SSL only.
  • Need to guarantee end to end security. Through reverse proxies, SSL accelerators, etc...
  • Some data passed through the services will include very sensitive data.
  • Need to have a good answer for customers that insist that SOAP's WS-* security standards are "Enterprise strength" web services and REST APIs are not.

My initial thought is to use an PKCS#7 envelope, as an option, if client applications understand how to process enveloped responses.

I want client applications to tell the API that they want a secured response or tell the API that the message they are POSTing or PUTing is secured.

My real question is, should this be communicated through a media type? E.g.:

  • Content-Type: application/vnd.resourcetype1+json+pkcs7
  • Content-Type: txt/csv+pkcs7

i don't want to loose information on the media type that is enveloped.

It gets complicated as in some cases the signature is enough. Others require encryption as well. The term "pkcs7" is vague as to how the envelope is constructed.

I want the client and server to tell each other the type of content they are sending and the type of content they understand through standard HTTP headers.

like image 257
user1758003 Avatar asked Oct 19 '12 02:10

user1758003


People also ask

Does REST API have security?

REST APIs use HTTP and support Transport Layer Security (TLS) encryption. TLS is a standard that keeps an internet connection private and checks that the data sent between two systems (a server and a server, or a server and a client) is encrypted and unmodified.

How does REST API handle security?

Use HTTPS/TLS for REST APIs HTTPS and Transport Layer Security (TLS) offer a secured protocol to transfer encrypted data between web browsers and servers. Apart from other forms of information, HTTPS also helps to protect authentication credentials in transit.

What is Level 3 REST API?

Level 3 - Hypermedia Controls. This level is the one that everyone falls down on. There are two parts to this: content negotiation and HATEOAS. Content negotiation is focused on different representations of a particular resource, and HATEOAS is about the discoverability of actions on a resource.


1 Answers

Of course, it is up to you how to define your API, there is no right or wrong way, however S/MIME is a very well understood message format, well suited to the internet. As is PGP/MIME if your prefer a de-centralised trust hierarchy. Since these are well understood formats, it will allow clients to adopt existing libraries to process these message bodies.

If you are adament you do not want to use a multi-part response, you may want to take a look at the Content-Encoding header, besides just Content-Type. You could then specify the signature/encryption format as a custom encoding type.

There are significant benefits to using HTTP as an application protocol and not just a transport protocol, but you seem to understand that already. Be sure you set and parse the Accept* headers correctly, including q-values. Beware of things such as the default of q=1 meaning equal (not descending) preference, and q=0.

like image 146
Nicholas Shanks Avatar answered Sep 19 '22 15:09

Nicholas Shanks