问题
I want to implement two level Security in my REST web services.
Transport layer For point-to-point security (transport layer) i have decided to use HTTPS.
Message layer (end to end) I need the json data(very sensitive) to be in encrypted form which can only be decrypted by intended user.
I need some suggestions how i can implement this? IS there any web standards like WS-Security in SOAP which we can use. I came across JSON Web Encryption (JWE), but not sure would it suffice my objective.
回答1:
One good approach is that used by Amazon Web Services with their Client-Side Data encryption. The documentation gives a good overview of the way it works, performance characteristics, client-side requirements and implications such as key-management.
AWS Client-Side encryption uses envelope encryption. They data is fast-encrypted using symmetric cipher and the meta-data such as the symmetric key and payload details are encrypted using a slower but more secure assymetric key.
Hope that helps.
来源:https://stackoverflow.com/questions/9869828/message-level-security-in-rest-web-services