Welcome!

Microservices Expo Authors: Pat Romanski, Liz McMillan, Elizabeth White, Gopala Krishna Behara, Sridhar Chalasani

Related Topics: Microservices Expo

Microservices Expo: Article

WS Security Performance

Secure Conversation versus the X509 Profile

The WS Secure Conversation specification describes a mechanism letting multiple parties establish a context (using the WS Trust Request Security Token standard) and secure subsequent SOAP exchanges. Each WS Secure Conversation session has an associated shared secret. Instead of using this shared secret directly to sign and encrypt the conversation's messages, symmetric keys are derived from the secret itself. Deriving new keys for each message and different keys for signature and encryption limits the amount of data that an attacker can analyze in attempting to compromise the context.

Derived Key Tokens are tokens in a SOAP Security Header that refer to the derived keys. Using the context's shared secret and hints provided by the Derived Key Token element, the message's recipient derives the key used by the requestor either to verify a signature or decrypt parts of the message.

How Derived Key Tokens are used is best understood by looking at Listing #1, which illustrates a SOAP message signed and encrypted as detailed by the WS Secure Conversation specification. Notice how the element Header/Security/SecurityContextToken refers to the pre-established WS Secure Conversation context. Both parties participating in this message know the shared secret associated with the context. Two Derived Key Tokens are declared in the Security header. Both of those Derived Key Tokens refer to the same Security Context Token but the associated derived keys are different as per the derivation Nonces provided. The element Header/Security/Signature/KeyInfo refers to one of the derived keys and the Body/EncryptedData/KeyInfo refers to the other.

Derived Key Tokens Beyond Secure Conversation Contexts
The Derived Key Token mechanism described in WS Secure Conversation relies on a shared secret. This shared secret doesn't have to be in the form of a WS Secure Conversation context key. It can be as simple as a password (think UsernameToken) or a Kerberos ticket (think Kerberos BinarySecurityTokens). Any form of shared secret that can be mapped to a security token can effectively serve as the basis for deriving keys (although for an implementation to interoperate easily one should stick to the derivations defined by standards). For example, the Web Services Security UsernameToken Profile 1.1 specification describes a mechanism where the password associated with a username is used to derive a secret key to protect the integrity or confidentiality of the message content. This has the advantage of not requiring that the context be pre-established.

Another interesting approach to key derivation that avoids the offline establishment of a context is to derive keys on an EncryptedKeyToken. In this case, the requestor makes up a secret, encrypts it, and sends it to the recipient. This generated secret is shared between the requestor and the recipient and only the recipient can decrypt it. Of course, this shared secret alone can't be used for authentication purposes but derived keys based on such a shared secret can still be useful for encrypting a message and signing it for ensuring integrity. The WS Security 1.1 spec also allows subsequent messages to refer to an encrypted key defined in a previous message. Deriving keys based on this previous secret has the advantage of avoiding the expensive operation associated with deciphering a new encrypted key for each message. Of course, any use of EncryptedKeyTokens requires the initiator to know the X509 cert of the recipient to encrypt the initial key.

WS Security Performance
Messages secured on a pre-established WS Secure Conversation are processed by both parties using symmetrical cryptography only. This contrasts with other mechanisms such as the ones described in the X509 Token Profile specification where XML digital signatures are based on an X509 BinarySecurityToken and where encryption is based on a key that is itself encrypted using the recipient's public key. In that case, both signature and encryption operations require using asymmetrical cryptography.

Your CPU will tell you that cryptography is generally expensive and that asymmetrical cryptography is extremely expensive. So it's reasonable to expect WS Secure Conversation-based WS Security to be processed at faster rate than X509-based WS Security. The question is how significant this performance advantage is in a real-world deployment burdened by other overheads such as XML processing.

Secure Conversation vs. X509 Profile Benchmark
As illustrated in Figure 1, an XML gateway is introduced between a number of WS requestors and a WS server. This XML gateway gets security-decorated SOAP requests coming in from clients, deciphers them, and verifies the digital signature. The XML gateway then forwards the request to the back-end Web Service that returns a SOAP response. This response is then secured by the XML gateway (XML encryption and signature) before it's forwarded back to the original requestor. The response security is achieved using the same mechanism used to secure the request.

The WS Security method used for securing these SOAP messages is dictated by a WS Policy document published by the XML gateway. By altering this policy document we can switch between messages secured using Derived Key Tokens associated with a WS Secure Conversation session versus messages secured using an X509 token profile mechanism. The key derivation algorithm used by the XML gateway is the standard PSHA-1 described in the WS Secure Conversation specification.

In this scenario the number of messages per second the gateway was able to process for each of these WS Security mechanisms was measured. Listings 1 and 2 illustrate sample messages processed by the XML gateway for Derived Key Tokens and X509 respectively. Also measured was the number of requests per time unit processed by this same gateway in a case where messages didn't involved WS Security at all and were exchanged through SSL as well as a benchmark measurement taken with no security policy present al all.

On the requestor side, five systems running Apache benchmark were simultaneously sending pre-formatted SOAP requests to the XML gateway inside an isolated network. The gateway was deployed as a single node. On the back-end, an Apache server returned static unsecured SOAP responses. In these tests, all of the WS Security processing was delegated to the gateway, both the requestors and the back-end service were sending hard-coded SOAP messages; this ensures that we focus the bottleneck and isolate the real throughput of the XML gateway with regards to WS Security processing as much as possible.

Benchmark Results
The numbers shown (see Table 1) are for messages processed per second by the single node XML gateway (note that each request and response is processed as separate messages). As you can see, when processing messages secured using WS Secure Conversation, the XML gateway was able to handle as many as 798 messages per second as compared to 352 messages per second for X509-based signatures and encryption. The anticipated performance gain predicted is very significant; the throughput more than doubles for the single XML gateway node.

To provide context the number of messages the same XML gateway processed when security was based purely on transport mechanisms (in this case SSL) was also measured. In that case, the single node XML gateway processed 2,918 messages a second.

Summary
Using a purely symmetric crypto approach to WS Security as is possible with Derived Key Tokens produces a processing performance advantage over WS Security achieved through the X509 profile that relies on public key crypto. This performance gain has the potential to translate into significant throughput gains in a production environment where WS Security processing is involved in a bottleneck. Derived Key Tokens are also a practical approach to WS Security; they can be used in conjunction with a number of different mechanisms such as Kerberos, passwords, and WS Secure Conversations, and they don't need a public key infrastructure.

However, the mechanisms described in the X509 token profile should by no means be regarded as inferior. The public key aspects of the X509 token profile provide functional advantages over WS Security relying exclusively on Derived Key Tokens.

Indeed, the performance advantage provided by signing and encrypting messages using exclusively symmetrical crypto comes at a price. Because the messages are signed with something based on a shared secret, those signatures can't form the basis of non-repudiation. Both parties knowing the shared secret can produce such signatures. Conversely, when message signatures are based on an X509 token, they prove the possession of a private key to which the recipient doesn't have access; the signing party can't claim that the other party forged his or her signature. Obviously, asymmetrical crypto is just one piece of the complicated non-repudiation puzzle, but an essential one nevertheless.

Another advantage of using X509 mechanisms over session-based security is that digital certificates and their associated private keys typically have a longer lifecycle than security contexts such as WS Secure Conversation sessions or Kerberos tickets. The ephemeral nature of security contexts restricts (if not eliminates) the ability to audit a message offline long after it's been processed. Once a session has expired, and the associated shared secret is forgotten, encryption can no longer be undone and signatures become meaningless. On the other hand, messages including signatures and encrypted elements that refer to X509 certificates can be saved for later auditing; they can be decrypted later, their signatures can be verified.

More Stories By Francois Lascelles

As Layer 7’s Chief Architect, Francois Lascelles guides the solutions architecture team and aligns product evolution with field trends. Francois joined Layer 7 in the company’s infancy – contributing as the first developer and designing the foundation of Layer 7’s Gateway technology. Now in a field-facing role, Francois helps enterprise architects apply the latest standards and patterns. Francois is a regular blogger and speaker and is also co-author of Service-Oriented Infrastructure: On-Premise and in the Cloud, published by Prentice Hall. Francois holds a Bachelor of Engineering degree from Ecole Polytechnique de Montreal and a black belt in OAuth. Follow Francois on Twitter: @flascelles

More Stories By Aaron Flint

Over the past 10 years, Aaron Flint has worked, in increasingly senior positions, to ensure quality of enterprise-level server applications. He joined Layer 7 Technologies to lead the QA department early on and has been helping to build and release a quality SecureSpan product line since then.

Comments (2) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
SYS-CON Australia News Desk 04/17/06 12:10:39 PM EDT

The WS Secure Conversation specification describes a mechanism letting multiple parties establish a context (using the WS Trust Request Security Token standard) and secure subsequent SOAP exchanges. Each WS Secure Conversation session has an associated shared secret. Instead of using this shared secret directly to sign and encrypt the conversation's messages, symmetric keys are derived from the secret itself. Deriving new keys for each message and different keys for signature and encryption limits the amount of data that an attacker can analyze in attempting to compromise the context.

SYS-CON India News Desk 04/17/06 11:20:19 AM EDT

The WS Secure Conversation specification describes a mechanism letting multiple parties establish a context (using the WS Trust Request Security Token standard) and secure subsequent SOAP exchanges. Each WS Secure Conversation session has an associated shared secret. Instead of using this shared secret directly to sign and encrypt the conversation's messages, symmetric keys are derived from the secret itself. Deriving new keys for each message and different keys for signature and encryption limits the amount of data that an attacker can analyze in attempting to compromise the context.

@MicroservicesExpo Stories
As many know, the first generation of Cloud Management Platform (CMP) solutions were designed for managing virtual infrastructure (IaaS) and traditional applications. But that's no longer enough to satisfy evolving and complex business requirements. In his session at 21st Cloud Expo, Scott Davis, Embotics CTO, explored how next-generation CMPs ensure organizations can manage cloud-native and microservice-based application architectures, while also facilitating agile DevOps methodology. He expla...
SYS-CON Events announced today that Synametrics Technologies will exhibit at SYS-CON's 22nd International Cloud Expo®, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Synametrics Technologies is a privately held company based in Plainsboro, New Jersey that has been providing solutions for the developer community since 1997. Based on the success of its initial product offerings such as WinSQL, Xeams, SynaMan and Syncrify, Synametrics continues to create and hone inn...
DevOps promotes continuous improvement through a culture of collaboration. But in real terms, how do you: Integrate activities across diverse teams and services? Make objective decisions with system-wide visibility? Use feedback loops to enable learning and improvement? With technology insights and real-world examples, in his general session at @DevOpsSummit, at 21st Cloud Expo, Andi Mann, Chief Technology Advocate at Splunk, explored how leading organizations use data-driven DevOps to close th...
The goal of Microservices is to improve software delivery speed and increase system safety as scale increases. Microservices being modular these are faster to change and enables an evolutionary architecture where systems can change, as the business needs change. Microservices can scale elastically and by being service oriented can enable APIs natively. Microservices also reduce implementation and release cycle time and enables continuous delivery. This paper provides a logical overview of the Mi...
The past few years have seen a huge increase in the amount of critical IT services that companies outsource to SaaS/IaaS/PaaS providers, be it security, storage, monitoring, or operations. Of course, along with any outsourcing to a service provider comes a Service Level Agreement (SLA) to ensure that the vendor is held financially responsible for any lapses in their service which affect the customer’s end users, and ultimately, their bottom line. SLAs can be very tricky to manage for a number ...
Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is foundational - something customers routinely cite as a top pain point. In his session at @DevOpsSummit at 21st Cloud Expo, Bill Borsari, Head of Systems Engineering at Datera, explored how organizations can reap the bene...
Our work, both with clients and with tools, has lead us to wonder how it is that organizations are handling compliance issues in the cloud. The big cloud vendors offer compliance for their infrastructure, but the shared responsibility model requires that you take certain steps to meet compliance requirements. Which lead us to start poking around a little more. We wanted to get a picture of what was available, and how it was being used. There is a lot of fluidity in this space, as in all things c...
Gaining visibility in today’s sprawling cloud infrastructure is complex and laborious, involving drilling down into tools offered by various cloud services providers. Enterprise IT organizations need smarter and effective tools at their disposal in order to address this pertinent problem. Gaining a 360 - degree view of the cloud costs requires collection and analysis of the cost data across all cloud infrastructures used inside an enterprise.
Admiral Calcote - also known as Lee Calcote (@lcalcote) or the Ginger Geek to his friends - gave a presentation entitled Characterizing and Contrasting Container Orchestrators at the 2016 All Day DevOps conference. Okay, he isn't really an admiral - nor does anyone call him that - but he used the title admiral to describe what container orchestrators do, relating it to an admiral directing a fleet of container ships. You could also say that they are like the conductor of an orchestra, directing...
The past few years have brought a sea change in the way applications are architected, developed, and consumed—increasing both the complexity of testing and the business impact of software failures. How can software testing professionals keep pace with modern application delivery, given the trends that impact both architectures (cloud, microservices, and APIs) and processes (DevOps, agile, and continuous delivery)? This is where continuous testing comes in. D
"WineSOFT is a software company making proxy server software, which is widely used in the telecommunication industry or the content delivery networks or e-commerce," explained Jonathan Ahn, COO of WineSOFT, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
The notion of improving operational efficiency is conspicuously absent from the healthcare debate - neither Obamacare nor the newly proposed GOP plan discusses the impact that a step-function improvement in efficiency could have on access to healthcare (through more capacity), quality of healthcare services (through reduced wait times for patients) or cost (through better utilization of scarce, expensive assets).
Some people are directors, managers, and administrators. Others are disrupters. Eddie Webb (@edwardawebb) is an IT Disrupter for Software Development Platforms at Liberty Mutual and was a presenter at the 2016 All Day DevOps conference. His talk, Organically DevOps: Building Quality and Security into the Software Supply Chain at Liberty Mutual, looked at Liberty Mutual's transformation to Continuous Integration, Continuous Delivery, and DevOps. For a large, heavily regulated industry, this task ...
There is a huge demand for responsive, real-time mobile and web experiences, but current architectural patterns do not easily accommodate applications that respond to events in real time. Common solutions using message queues or HTTP long-polling quickly lead to resiliency, scalability and development velocity challenges. In his session at 21st Cloud Expo, Ryland Degnan, a Senior Software Engineer on the Netflix Edge Platform team, will discuss how by leveraging a reactive stream-based protocol,...
In a recent post, titled “10 Surprising Facts About Cloud Computing and What It Really Is”, Zac Johnson highlighted some interesting facts about cloud computing in the SMB marketplace: Cloud Computing is up to 40 times more cost-effective for an SMB, compared to running its own IT system. 94% of SMBs have experienced security benefits in the cloud that they didn’t have with their on-premises service
"I focus on what we are calling CAST Highlight, which is our SaaS application portfolio analysis tool. It is an extremely lightweight tool that can integrate with pretty much any build process right now," explained Andrew Siegmund, Application Migration Specialist for CAST, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
The dynamic nature of the cloud means that change is a constant when it comes to modern cloud-based infrastructure. Delivering modern applications to end users, therefore, is a constantly shifting challenge. Delivery automation helps IT Ops teams ensure that apps are providing an optimal end user experience over hybrid-cloud and multi-cloud environments, no matter what the current state of the infrastructure is. To employ a delivery automation strategy that reflects your business rules, making r...
"We started a Master of Science in business analytics - that's the hot topic. We serve the business community around San Francisco so we educate the working professionals and this is where they all want to be," explained Judy Lee, Associate Professor and Department Chair at Golden Gate University, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Gone are the days when application development was the daunting task of the highly skilled developers backed with strong IT skills, low code application development has democratized app development and empowered a new generation of citizen developers. There was a time when app development was in the domain of people with complex coding and technical skills. We called these people by various names like programmers, coders, techies, and they usually worked in a world oblivious of the everyday pri...
The “Digital Era” is forcing us to engage with new methods to build, operate and maintain applications. This transformation also implies an evolution to more and more intelligent applications to better engage with the customers, while creating significant market differentiators. In both cases, the cloud has become a key enabler to embrace this digital revolution. So, moving to the cloud is no longer the question; the new questions are HOW and WHEN. To make this equation even more complex, most ...