SOA Patterns | Design Patterns | Data Origin Authentication


SOA Patterns > Service Interaction Security Patterns > Data Origin Authentication
Home > Design Patterns > Data Origin Authentication

Data Origin Authentication (Hogg, Smith, Chong, Hollander, Kozaczynski, Brader, Delgado, Taylor, Wall, Slater, Imran, Cibraro, Cunningham)

How can a service verify that a message originates from a known sender and that the message has not been tampered with in transit?

Data Origin Authentication

Problem

The intermediary processing layers generally required by service compositions can expose sensitive data when security is limited to point-to-point protocols, such as those used with transportlayer security.

Solution

A message can be digitally signed so that the recipient services can verify that it originated from the expected consumer and that it has not been tampered with during transit.

Application

A digital signature algorithm is applied to the message to provide “proof of origin”, allowing sensitive message contents to be protected from tampering. This technology must be supported by both consumer and service.

Impacts

Use of cryptographic techniques can add to performance requirements and the choice of digital signing algorithm can affect the level of security actually achieved.

Principles

Service Composability

Architecture

Composition

Data Origin Authentication: In this scenario, the attacker could be attempting to take a valid message and substitute someone else's credentials thereby impersonating the other party, or perhaps the attacker is trying to modify an existing message to the behavior of the service. Either way, when a message is digitally signed, the service can verify the message origin and reject the message if its origin is deemed invalid.

In this scenario, the attacker could be attempting to take a valid message and substitute someone else’s credentials thereby impersonating the other party, or perhaps the attacker is trying to modify an existing message to the behavior of the service. Either way, when a message is digitally signed, the service can verify the message origin and reject the message if its origin is deemed invalid.

Related Patterns in This Catalog

Brokered Authentication, Data Confidentiality, Direct Authentication, Messaging Metadata, Service Agent, Service Messaging, State Messaging

Related Service-Oriented Computing Goals

Increased Vendor Diversification Options, Reduced IT Burden


Module 18: Fundamental Security for Services, Microservices & SOA

This pattern is covered in SOACP Module 18: Fundamental Security for Services, Microservices & SOA.

For more information regarding the SOA Certified Pofessional (SOACP) curriculum,
visit www.arcitura.com/soa.


SOA Design Patterns

This page contains excerpts from:

SOA Design Patterns by Thomas Erl

(ISBN: 0136135161, Hardcover, Full-Color, 400+ Illustrations, 865 pages)

For more information about this book, visit www.arcitura.com/books.