• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

WS-Security

 
Luke Murphy
Ranch Hand
Posts: 300
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok, so WS-Security provides three things:
1. A mechanism for attaching security tokens such as SAML, Kerbos or X.509.
2. A mechanism to sign the XML.
3. A mechanism to encrypt the XML.

However say we only avail of 1 and 2 and don't encrypt the message. When you sign the message you are supposed to have integrity i.e. no one can change it.
So in basic terms what would happen is a hash would be generated for the message and user identity and the "other side" would be able to check the hash and confirm nothing had been tampered with.

However, someone would still be able to actually see the contents of the message - say using a packet sniffer or something.

1.
It this a reasonable understanding?
2. What information is being passed in the token? What's the relevance of it?
3. Is it possible to use the token for something and not have any signing or encryption?
4. I guess the signing is done using public and private keys. And I guess the encryption is also done this way. Can they reuse the keys?
5. I could see why you would not use encryption (reduce message payload for example) however would there ever be a case where you would wish
to use encryption and not sign the message? What advantages would this bring?

Thanks
 
Ulf Dittmer
Rancher
Posts: 42969
73
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok, so WS-Security provides three things:

5, actually: It also provides username/password authentication, and a security timestamp service.

I guess the signing is done using public and private keys. And I guess the encryption is also done this way. Can they reuse the keys?

Public/private is one way, but it's also possible to use a symmetric encryption with a pre-determined key.

I could see why you would not use encryption (reduce message payload for example) however would there ever be a case where you would wish to use encryption and not sign the message? What advantages would this bring?

I think the majority of WSS application utilizes username/password authentication, but neither encryption nor signing. (I don't think encryption increases message size significantly, by the way.) It's -as always- a question of what am I trying to guard against: which attacker do I fear, and which attack method do I need to be afraid of? For example, packet sniffers are unlikely to be effective outside of my own network, so what does encryption buy me? If I suppose that it does help on my own network, maybe the attacker is so close that he could do more damage in other ways? Definitely something to consider. Signing ... hmm ... unless we're talking about a personal certificate, what is the advantage over username/password, really?

The key questions really are: Who are the potential attackers? How might or could they attack? What damage would be done if they were successful? The answers to these questions should drive security implementation decisions.
 
Luke Murphy
Ranch Hand
Posts: 300
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Dittmer wrote:
Ok, so WS-Security provides three things:

5, actually: It also provides username/password authentication, and a security timestamp service.

I guess the signing is done using public and private keys. And I guess the encryption is also done this way. Can they reuse the keys?

Public/private is one way, but it's also possible to use a symmetric encryption with a pre-determined key.

I could see why you would not use encryption (reduce message payload for example) however would there ever be a case where you would wish to use encryption and not sign the message? What advantages would this bring?

I think the majority of WSS application utilizes username/password authentication, but neither encryption nor signing. (I don't think encryption increases message size significantly, by the way.) It's -as always- a question of what am I trying to guard against: which attacker do I fear, and which attack method do I need to be afraid of? For example, packet sniffers are unlikely to be effective outside of my own network, so what does encryption buy me? If I suppose that it does help on my own network, maybe the attacker is so close that he could do more damage in other ways? Definitely something to consider. Signing ... hmm ... unless we're talking about a personal certificate, what is the advantage over username/password, really?

The key questions really are: Who are the potential attackers? How might or could they attack? What damage would be done if they were successful? The answers to these questions should drive security implementation decisions.


Brilliant stuff. How do I follow your posts? they are really good!
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic