Tuesday, September 27, 2011

WS-Security

WS-Security (Web Services Security, short WSS) is a flexible and feature-rich extension to SOAP to apply security to web services.
WS-Security describes three main mechanisms
  • How to sign SOAP messages to assure integrity.
  • How to encrypt SOAP messages to assure confidentiality.
  • How to attach security tokens to ascertain the sender's identity .
The specification allows a variety of signature formats, encryption algorithms and multiple trust domains, and is open to various security token models, such as:
  • X.509 certificates
  • Kerberos tickets
  • UserID/Password credentials
  • SAML-Assertion
  • Custom defined token


WS-Security incorporates security features in the header of a SOAP message, working in the application layer.


Transport Layer Security (Without WS-Security)

The typical SOAP use case with a communication between trusted peers (using HTTPS) does not need WS-Security at all. It is described in Alternative, and reduces complexity and improves performance.


End-to-end security

If a SOAP intermediary is required, and the intermediary is not or less trusted, messages need to be signed and optionally encrypted. This might be the case of an application level proxy at a network perimeter, that will terminate TCP connections.

Non-Repudiation

The standard method for non-repudiation is to write transactions to an audit trail, that is subject to specific security safeguards. However, if the audit trail is not sufficient, digital signatures may provide a better method to enforce non-repudiation. WS-Security can provide this.


Performance

WS-Security adds significant overhead to SOAP-processing due to the increased size of the message on the wire, XML and cryptographic processing, requiring faster CPUs and more memory and bandwidth.
An evaluation in 2005 measured 25 types of SOAP messages of different size and complexity processed by WSS4J with both WS-Security and WS-SecureConversation on a Pentium 4/2,8 GHz CPU. Some findings were:
  • Encryption was faster than signing
  • Encryption and signing together were 2-7 times slower than signing alone and produced significantly bigger documents.
  • Depending on the type of message, WS-SecureConversation either made no difference or reduced processing time by half in the best case.
  • It took less than 10 milliseconds to sign or encrypt up to an array of 100 kilo bytes, but it took about 100~200 to perform the security operations for SOAP.
Another benchmark in 2006 resulted in this comparison:

Security Mechanism Messages/second
WS-Security (X.509) XML Signature & Encryption 352
WS-SecureConversation XML Signature & Encryption 798
Transport Layer Security

No comments:

Post a Comment