Welcome!

Microservices Expo Authors: Elizabeth White, Yeshim Deniz, Pat Romanski, AppNeta Blog, Liz McMillan

Related Topics: Microservices Expo

Microservices Expo: Article

WS Security Performance

Secure Conversation versus the X509 Profile

The WS Secure Conversation specification describes a mechanism letting multiple parties establish a context (using the WS Trust Request Security Token standard) and secure subsequent SOAP exchanges. Each WS Secure Conversation session has an associated shared secret. Instead of using this shared secret directly to sign and encrypt the conversation's messages, symmetric keys are derived from the secret itself. Deriving new keys for each message and different keys for signature and encryption limits the amount of data that an attacker can analyze in attempting to compromise the context.

Derived Key Tokens are tokens in a SOAP Security Header that refer to the derived keys. Using the context's shared secret and hints provided by the Derived Key Token element, the message's recipient derives the key used by the requestor either to verify a signature or decrypt parts of the message.

How Derived Key Tokens are used is best understood by looking at Listing #1, which illustrates a SOAP message signed and encrypted as detailed by the WS Secure Conversation specification. Notice how the element Header/Security/SecurityContextToken refers to the pre-established WS Secure Conversation context. Both parties participating in this message know the shared secret associated with the context. Two Derived Key Tokens are declared in the Security header. Both of those Derived Key Tokens refer to the same Security Context Token but the associated derived keys are different as per the derivation Nonces provided. The element Header/Security/Signature/KeyInfo refers to one of the derived keys and the Body/EncryptedData/KeyInfo refers to the other.

Derived Key Tokens Beyond Secure Conversation Contexts
The Derived Key Token mechanism described in WS Secure Conversation relies on a shared secret. This shared secret doesn't have to be in the form of a WS Secure Conversation context key. It can be as simple as a password (think UsernameToken) or a Kerberos ticket (think Kerberos BinarySecurityTokens). Any form of shared secret that can be mapped to a security token can effectively serve as the basis for deriving keys (although for an implementation to interoperate easily one should stick to the derivations defined by standards). For example, the Web Services Security UsernameToken Profile 1.1 specification describes a mechanism where the password associated with a username is used to derive a secret key to protect the integrity or confidentiality of the message content. This has the advantage of not requiring that the context be pre-established.

Another interesting approach to key derivation that avoids the offline establishment of a context is to derive keys on an EncryptedKeyToken. In this case, the requestor makes up a secret, encrypts it, and sends it to the recipient. This generated secret is shared between the requestor and the recipient and only the recipient can decrypt it. Of course, this shared secret alone can't be used for authentication purposes but derived keys based on such a shared secret can still be useful for encrypting a message and signing it for ensuring integrity. The WS Security 1.1 spec also allows subsequent messages to refer to an encrypted key defined in a previous message. Deriving keys based on this previous secret has the advantage of avoiding the expensive operation associated with deciphering a new encrypted key for each message. Of course, any use of EncryptedKeyTokens requires the initiator to know the X509 cert of the recipient to encrypt the initial key.

WS Security Performance
Messages secured on a pre-established WS Secure Conversation are processed by both parties using symmetrical cryptography only. This contrasts with other mechanisms such as the ones described in the X509 Token Profile specification where XML digital signatures are based on an X509 BinarySecurityToken and where encryption is based on a key that is itself encrypted using the recipient's public key. In that case, both signature and encryption operations require using asymmetrical cryptography.

Your CPU will tell you that cryptography is generally expensive and that asymmetrical cryptography is extremely expensive. So it's reasonable to expect WS Secure Conversation-based WS Security to be processed at faster rate than X509-based WS Security. The question is how significant this performance advantage is in a real-world deployment burdened by other overheads such as XML processing.

Secure Conversation vs. X509 Profile Benchmark
As illustrated in Figure 1, an XML gateway is introduced between a number of WS requestors and a WS server. This XML gateway gets security-decorated SOAP requests coming in from clients, deciphers them, and verifies the digital signature. The XML gateway then forwards the request to the back-end Web Service that returns a SOAP response. This response is then secured by the XML gateway (XML encryption and signature) before it's forwarded back to the original requestor. The response security is achieved using the same mechanism used to secure the request.

The WS Security method used for securing these SOAP messages is dictated by a WS Policy document published by the XML gateway. By altering this policy document we can switch between messages secured using Derived Key Tokens associated with a WS Secure Conversation session versus messages secured using an X509 token profile mechanism. The key derivation algorithm used by the XML gateway is the standard PSHA-1 described in the WS Secure Conversation specification.

In this scenario the number of messages per second the gateway was able to process for each of these WS Security mechanisms was measured. Listings 1 and 2 illustrate sample messages processed by the XML gateway for Derived Key Tokens and X509 respectively. Also measured was the number of requests per time unit processed by this same gateway in a case where messages didn't involved WS Security at all and were exchanged through SSL as well as a benchmark measurement taken with no security policy present al all.

On the requestor side, five systems running Apache benchmark were simultaneously sending pre-formatted SOAP requests to the XML gateway inside an isolated network. The gateway was deployed as a single node. On the back-end, an Apache server returned static unsecured SOAP responses. In these tests, all of the WS Security processing was delegated to the gateway, both the requestors and the back-end service were sending hard-coded SOAP messages; this ensures that we focus the bottleneck and isolate the real throughput of the XML gateway with regards to WS Security processing as much as possible.

Benchmark Results
The numbers shown (see Table 1) are for messages processed per second by the single node XML gateway (note that each request and response is processed as separate messages). As you can see, when processing messages secured using WS Secure Conversation, the XML gateway was able to handle as many as 798 messages per second as compared to 352 messages per second for X509-based signatures and encryption. The anticipated performance gain predicted is very significant; the throughput more than doubles for the single XML gateway node.

To provide context the number of messages the same XML gateway processed when security was based purely on transport mechanisms (in this case SSL) was also measured. In that case, the single node XML gateway processed 2,918 messages a second.

Summary
Using a purely symmetric crypto approach to WS Security as is possible with Derived Key Tokens produces a processing performance advantage over WS Security achieved through the X509 profile that relies on public key crypto. This performance gain has the potential to translate into significant throughput gains in a production environment where WS Security processing is involved in a bottleneck. Derived Key Tokens are also a practical approach to WS Security; they can be used in conjunction with a number of different mechanisms such as Kerberos, passwords, and WS Secure Conversations, and they don't need a public key infrastructure.

However, the mechanisms described in the X509 token profile should by no means be regarded as inferior. The public key aspects of the X509 token profile provide functional advantages over WS Security relying exclusively on Derived Key Tokens.

Indeed, the performance advantage provided by signing and encrypting messages using exclusively symmetrical crypto comes at a price. Because the messages are signed with something based on a shared secret, those signatures can't form the basis of non-repudiation. Both parties knowing the shared secret can produce such signatures. Conversely, when message signatures are based on an X509 token, they prove the possession of a private key to which the recipient doesn't have access; the signing party can't claim that the other party forged his or her signature. Obviously, asymmetrical crypto is just one piece of the complicated non-repudiation puzzle, but an essential one nevertheless.

Another advantage of using X509 mechanisms over session-based security is that digital certificates and their associated private keys typically have a longer lifecycle than security contexts such as WS Secure Conversation sessions or Kerberos tickets. The ephemeral nature of security contexts restricts (if not eliminates) the ability to audit a message offline long after it's been processed. Once a session has expired, and the associated shared secret is forgotten, encryption can no longer be undone and signatures become meaningless. On the other hand, messages including signatures and encrypted elements that refer to X509 certificates can be saved for later auditing; they can be decrypted later, their signatures can be verified.

More Stories By Francois Lascelles

As Layer 7’s Chief Architect, Francois Lascelles guides the solutions architecture team and aligns product evolution with field trends. Francois joined Layer 7 in the company’s infancy – contributing as the first developer and designing the foundation of Layer 7’s Gateway technology. Now in a field-facing role, Francois helps enterprise architects apply the latest standards and patterns. Francois is a regular blogger and speaker and is also co-author of Service-Oriented Infrastructure: On-Premise and in the Cloud, published by Prentice Hall. Francois holds a Bachelor of Engineering degree from Ecole Polytechnique de Montreal and a black belt in OAuth. Follow Francois on Twitter: @flascelles

More Stories By Aaron Flint

Over the past 10 years, Aaron Flint has worked, in increasingly senior positions, to ensure quality of enterprise-level server applications. He joined Layer 7 Technologies to lead the QA department early on and has been helping to build and release a quality SecureSpan product line since then.

Comments (2) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
SYS-CON Australia News Desk 04/17/06 12:10:39 PM EDT

The WS Secure Conversation specification describes a mechanism letting multiple parties establish a context (using the WS Trust Request Security Token standard) and secure subsequent SOAP exchanges. Each WS Secure Conversation session has an associated shared secret. Instead of using this shared secret directly to sign and encrypt the conversation's messages, symmetric keys are derived from the secret itself. Deriving new keys for each message and different keys for signature and encryption limits the amount of data that an attacker can analyze in attempting to compromise the context.

SYS-CON India News Desk 04/17/06 11:20:19 AM EDT

The WS Secure Conversation specification describes a mechanism letting multiple parties establish a context (using the WS Trust Request Security Token standard) and secure subsequent SOAP exchanges. Each WS Secure Conversation session has an associated shared secret. Instead of using this shared secret directly to sign and encrypt the conversation's messages, symmetric keys are derived from the secret itself. Deriving new keys for each message and different keys for signature and encryption limits the amount of data that an attacker can analyze in attempting to compromise the context.

@MicroservicesExpo Stories
For organizations that have amassed large sums of software complexity, taking a microservices approach is the first step toward DevOps and continuous improvement / development. Integrating system-level analysis with microservices makes it easier to change and add functionality to applications at any time without the increase of risk. Before you start big transformation projects or a cloud migration, make sure these changes won’t take down your entire organization.
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm.
In recent years, containers have taken the world by storm. Companies of all sizes and industries have realized the massive benefits of containers, such as unprecedented mobility, higher hardware utilization, and increased flexibility and agility; however, many containers today are non-persistent. Containers without persistence miss out on many benefits, and in many cases simply pass the responsibility of persistence onto other infrastructure, adding additional complexity.
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm. In his Day 3 Keynote at 20th Cloud Expo, Chris Brown, a Solutions Marketing Manager at Nutanix, will explore t...
Everyone wants to use containers, but monitoring containers is hard. New ephemeral architecture introduces new challenges in how monitoring tools need to monitor and visualize containers, so your team can make sense of everything. In his session at @DevOpsSummit, David Gildeh, co-founder and CEO of Outlyer, will go through the challenges and show there is light at the end of the tunnel if you use the right tools and understand what you need to be monitoring to successfully use containers in your...
The IT industry is undergoing a significant evolution to keep up with cloud application demand. We see this happening as a mindset shift, from traditional IT teams to more well-rounded, cloud-focused job roles. The IT industry has become so cloud-minded that Gartner predicts that by 2020, this cloud shift will impact more than $1 trillion of global IT spending. This shift, however, has left some IT professionals feeling a little anxious about what lies ahead. The good news is that cloud computin...
What if you could build a web application that could support true web-scale traffic without having to ever provision or manage a single server? Sounds magical, and it is! In his session at 20th Cloud Expo, Chris Munns, Senior Developer Advocate for Serverless Applications at Amazon Web Services, will show how to build a serverless website that scales automatically using services like AWS Lambda, Amazon API Gateway, and Amazon S3. We will review several frameworks that can help you build serverle...
The essence of cloud computing is that all consumable IT resources are delivered as services. In his session at 15th Cloud Expo, Yung Chou, Technology Evangelist at Microsoft, demonstrated the concepts and implementations of two important cloud computing deliveries: Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). He discussed from business and technical viewpoints what exactly they are, why we care, how they are different and in what ways, and the strategies for IT to transi...
Culture is the most important ingredient of DevOps. The challenge for most organizations is defining and communicating a vision of beneficial DevOps culture for their organizations, and then facilitating the changes needed to achieve that. Often this comes down to an ability to provide true leadership. As a CIO, are your direct reports IT managers or are they IT leaders? The hard truth is that many IT managers have risen through the ranks based on their technical skills, not their leadership abi...
Thanks to Docker and the DevOps revolution, microservices have emerged as the new way to build and deploy applications — and there are plenty of great reasons to embrace the microservices trend. If you are going to adopt microservices, you also have to understand that microservice architectures have many moving parts. When it comes to incident management, this presents an important difference between microservices and monolithic architectures. More moving parts mean more complexity to monitor an...
SYS-CON Events announced today that HTBase will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. HTBase (Gartner 2016 Cool Vendor) delivers a Composable IT infrastructure solution architected for agility and increased efficiency. It turns compute, storage, and fabric into fluid pools of resources that are easily composed and re-composed to meet each application’s needs. With HTBase, companies can quickly prov...
Microservices (μServices) are a fascinating evolution of the Distributed Object Computing (DOC) paradigm. Initial design of DOC attempted to solve the problem of simplifying developing complex distributed applications by applying object-oriented design principles to disparate components operating across networked infrastructure. In this model, DOC “hid” the complexity of making this work from the developer regardless of the deployment architecture through the use of complex frameworks, such as C...
As Enterprise business moves from Monoliths to Microservices, adoption and successful implementations of Microservices become more evident. The goal of Microservices is to improve software delivery speed and increase system safety as scale increases. Documenting hurdles and problems for the use of Microservices will help consultants, architects and specialists to avoid repeating the same mistakes and learn how and when to use (or not use) Microservices at the enterprise level. The circumstance w...
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend @CloudExpo | @ThingsExpo, June 6-8, 2017, at the Javits Center in New York City, NY and October 31 - November 2, 2017, Santa Clara Convention Center, CA. Learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
@DevOpsSummit at Cloud taking place June 6-8, 2017, at Javits Center, New York City, is co-located with the 20th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long developm...
In his General Session at 16th Cloud Expo, David Shacochis, host of The Hybrid IT Files podcast and Vice President at CenturyLink, investigated three key trends of the “gigabit economy" though the story of a Fortune 500 communications company in transformation. Narrating how multi-modal hybrid IT, service automation, and agile delivery all intersect, he will cover the role of storytelling and empathy in achieving strategic alignment between the enterprise and its information technology.
Without a clear strategy for cost control and an architecture designed with cloud services in mind, costs and operational performance can quickly get out of control. To avoid multiple architectural redesigns requires extensive thought and planning. Boundary (now part of BMC) launched a new public-facing multi-tenant high resolution monitoring service on Amazon AWS two years ago, facing challenges and learning best practices in the early days of the new service.
All organizations that did not originate this moment have a pre-existing culture as well as legacy technology and processes that can be more or less amenable to DevOps implementation. That organizational culture is influenced by the personalities and management styles of Executive Management, the wider culture in which the organization is situated, and the personalities of key team members at all levels of the organization. This culture and entrenched interests usually throw a wrench in the work...
As software becomes more and more complex, we, as software developers, have been splitting up our code into smaller and smaller components. This is also true for the environment in which we run our code: going from bare metal, to VMs to the modern-day Cloud Native world of containers, schedulers and micro services. While we have figured out how to run containerized applications in the cloud using schedulers, we've yet to come up with a good solution to bridge the gap between getting your contain...
TechTarget storage websites are the best online information resource for news, tips and expert advice for the storage, backup and disaster recovery markets. By creating abundant, high-quality editorial content across more than 140 highly targeted technology-specific websites, TechTarget attracts and nurtures communities of technology buyers researching their companies' information technology needs. By understanding these buyers' content consumption behaviors, TechTarget creates the purchase inte...