How to secure a RESTful php web service with SSL/TLS and/or Message level security
Solution 1
Assuming you have HTTPS properly configured using SSL/TLS your main concern is how to implement authentication for your RESTful service. Since HTTPS will use SSL/TLS to encrypt the communication between client and server encryption is not something you should worry about. If you need to understand how to properly configure SSL/TLS read Understanding SSL/TLS
Best practices for securing RESTful service is already discussed in RESTful Authentication and Best Practices for securing a REST API / web service.
To summarize it discusses 3 options
- HTTP basic auth over HTTPS
- Cookies and session management
- Query Authentication with additional signature parameters.
Another option would be to explore OAuth2 for authentication. If so you can get a good understanding about Oauth2 in Beginner’s Guide to OAuth Part III : Security Architecture
Solution 2
You should already be using SSL to get the authentication established.
Then you can use same token you got after authentication as your secret hash to encrypt/decrypt data back and forth for that connection until it becomes invalid.
If systems are properly locked down (internal) you can skip SSL for encrypted data transfer if you need more speed (as long as original token is generated over SSL, and system is aware what IP the token is assigned to/etc).
Related videos on Youtube
Kiril
Updated on July 10, 2022Comments
-
Kiril almost 2 years
I have a RESTful web service written in php that uses JSON for communication. Some of the data transmitted is really sensitive (passwords) and I am looking for a way to achieve a reasonable security level for the service. The client is a silverlight 4 application.
I have been searching for clear information on how to implement SSL/TLS(I assume that client certificate authentication falls in that category?) and Message level security, but I cannot find good examples regarding the actual implementation of these security measures in a php+json web service. I would be very grateful for any information and practical examples. I am aware of the principles, I am just not very experienced with php. Currently the only security measure that I have in place is a very basic authentication token system, which upon successful login creates a server side session and supplies the user with an authentication token for any further communication(until the session expires or the user connects from a different IP). I really want to at least secure the sensitive traffic such as passwords.
Finally, what are the security issues that I have to look out for after implementing TLS and maybe message layer security, as in vulnerabilities and exploits?
Thank you in advance.
-
Kiril almost 13 yearsHi, this is definitely not too basic, as using SSL is one of the approaches that I'd like to implement. The problem is that I do not know and could not find good information on how to implement the certificate mechanics, both server side in the php web service, and client side properly.
-
Kiril almost 13 yearsThanks for the tip on using the token for encryption/decryption of the data. Could you please point me to an article/tutorial on how to use SSL to get the authentication established and how to encrypt/decrypt the data using the token? I already have the service accepting only SSL connections, but I don't know how to implement the actual certificate validation and usage.
-
Aleksey Korzun almost 13 yearsI don't have any on hand, ideally when dealing with mission critical data you need to send it over secure/encrypted VPN link. If you lack that option in addition to talking to secure server (https) you can have two way hash assigned per client that is used to encrypt/decrypt authentication data (but NEVER send over the link unlike the token) just to keep it a bit more secure.
-
curtisdf almost 13 yearsI see. I'm not sure what to tell you since I haven't had to configure SSL myself before. But I know it depends on what HTTP server you're using (e.g. Apache, Nginx, etc.) and is not directly tied to PHP. Search the web for "ssl tutorial" for your particular HTTP server?