The WS Secure Conversation specification describes a mechanism letting multiple parties establish a context (using the WS Trust Request Security Token standard) and secure subsequent SOAP exchanges. Each WS Secure Conversation session has an associated shared secret. Instead of using this shared secret directly to sign and encrypt the conversation's messages, symmetric keys are derived from the secret itself. Deriving new keys for each message and different keys for signature and encryption limits the amount of data that an attacker can analyze in attempting to compromise the context.

Derived Key Tokens are tokens in a SOAP Security Header that refer to the derived keys. Using the context's shared secret and hints provided by the Derived Key Token element, the message's recipient derives the key used by the requestor either to verify a signature or decrypt parts of the message.

How Derived Key Tokens are used is best understood by looking at Listing #1, which illustrates a SOAP message signed and encrypted as detailed by the WS Secure Conversation specification. Notice how the element Header/Security/SecurityContextToken refers to the pre-established WS Secure Conversation context. Both parties participating in this message know the shared secret associated with the context. Two Derived Key Tokens are declared in the Security header. Both of those Derived Key Tokens refer to the same Security Context Token but the associated derived keys are different as per the derivation Nonces provided. The element Header/Security/Signature/KeyInfo refers to one of the derived keys and the Body/EncryptedData/KeyInfo refers to the other.

Derived Key Tokens Beyond Secure Conversation Contexts
The Derived Key Token mechanism described in WS Secure Conversation relies on a shared secret. This shared secret doesn't have to be in the form of a WS Secure Conversation context key. It can be as simple as a password (think UsernameToken) or a Kerberos ticket (think Kerberos BinarySecurityTokens). Any form of shared secret that can be mapped to a security token can effectively serve as the basis for deriving keys (although for an implementation to interoperate easily one should stick to the derivations defined by standards). For example, the Web Services Security UsernameToken Profile 1.1 specification describes a mechanism where the password associated with a username is used to derive a secret key to protect the integrity or confidentiality of the message content. This has the advantage of not requiring that the context be pre-established.

Another interesting approach to key derivation that avoids the offline establishment of a context is to derive keys on an EncryptedKeyToken. In this case, the requestor makes up a secret, encrypts it, and sends it to the recipient. This generated secret is shared between the requestor and the recipient and only the recipient can decrypt it. Of course, this shared secret alone can't be used for authentication purposes but derived keys based on such a shared secret can still be useful for encrypting a message and signing it for ensuring integrity. The WS Security 1.1 spec also allows subsequent messages to refer to an encrypted key defined in a previous message. Deriving keys based on this previous secret has the advantage of avoiding the expensive operation associated with deciphering a new encrypted key for each message. Of course, any use of EncryptedKeyTokens requires the initiator to know the X509 cert of the recipient to encrypt the initial key.

WS Security Performance
Messages secured on a pre-established WS Secure Conversation are processed by both parties using symmetrical cryptography only. This contrasts with other mechanisms such as the ones described in the X509 Token Profile specification where XML digital signatures are based on an X509 BinarySecurityToken and where encryption is based on a key that is itself encrypted using the recipient's public key. In that case, both signature and encryption operations require using asymmetrical cryptography.

Your CPU will tell you that cryptography is generally expensive and that asymmetrical cryptography is extremely expensive. So it's reasonable to expect WS Secure Conversation-based WS Security to be processed at faster rate than X509-based WS Security. The question is how significant this performance advantage is in a real-world deployment burdened by other overheads such as XML processing.

Secure Conversation vs. X509 Profile Benchmark
As illustrated in Figure 1, an XML gateway is introduced between a number of WS requestors and a WS server. This XML gateway gets security-decorated SOAP requests coming in from clients, deciphers them, and verifies the digital signature. The XML gateway then forwards the request to the back-end Web Service that returns a SOAP response. This response is then secured by the XML gateway (XML encryption and signature) before it's forwarded back to the original requestor. The response security is achieved using the same mechanism used to secure the request.

The WS Security method used for securing these SOAP messages is dictated by a WS Policy document published by the XML gateway. By altering this policy document we can switch between messages secured using Derived Key Tokens associated with a WS Secure Conversation session versus messages secured using an X509 token profile mechanism. The key derivation algorithm used by the XML gateway is the standard PSHA-1 described in the WS Secure Conversation specification.

In this scenario the number of messages per second the gateway was able to process for each of these WS Security mechanisms was measured. Listings 1 and 2 illustrate sample messages processed by the XML gateway for Derived Key Tokens and X509 respectively. Also measured was the number of requests per time unit processed by this same gateway in a case where messages didn't involved WS Security at all and were exchanged through SSL as well as a benchmark measurement taken with no security policy present al all.

On the requestor side, five systems running Apache benchmark were simultaneously sending pre-formatted SOAP requests to the XML gateway inside an isolated network. The gateway was deployed as a single node. On the back-end, an Apache server returned static unsecured SOAP responses. In these tests, all of the WS Security processing was delegated to the gateway, both the requestors and the back-end service were sending hard-coded SOAP messages; this ensures that we focus the bottleneck and isolate the real throughput of the XML gateway with regards to WS Security processing as much as possible.

Benchmark Results
The numbers shown (see Table 1) are for messages processed per second by the single node XML gateway (note that each request and response is processed as separate messages). As you can see, when processing messages secured using WS Secure Conversation, the XML gateway was able to handle as many as 798 messages per second as compared to 352 messages per second for X509-based signatures and encryption. The anticipated performance gain predicted is very significant; the throughput more than doubles for the single XML gateway node.

To provide context the number of messages the same XML gateway processed when security was based purely on transport mechanisms (in this case SSL) was also measured. In that case, the single node XML gateway processed 2,918 messages a second.

Summary
Using a purely symmetric crypto approach to WS Security as is possible with Derived Key Tokens produces a processing performance advantage over WS Security achieved through the X509 profile that relies on public key crypto. This performance gain has the potential to translate into significant throughput gains in a production environment where WS Security processing is involved in a bottleneck. Derived Key Tokens are also a practical approach to WS Security; they can be used in conjunction with a number of different mechanisms such as Kerberos, passwords, and WS Secure Conversations, and they don't need a public key infrastructure.

However, the mechanisms described in the X509 token profile should by no means be regarded as inferior. The public key aspects of the X509 token profile provide functional advantages over WS Security relying exclusively on Derived Key Tokens.

Indeed, the performance advantage provided by signing and encrypting messages using exclusively symmetrical crypto comes at a price. Because the messages are signed with something based on a shared secret, those signatures can't form the basis of non-repudiation. Both parties knowing the shared secret can produce such signatures. Conversely, when message signatures are based on an X509 token, they prove the possession of a private key to which the recipient doesn't have access; the signing party can't claim that the other party forged his or her signature. Obviously, asymmetrical crypto is just one piece of the complicated non-repudiation puzzle, but an essential one nevertheless.

Another advantage of using X509 mechanisms over session-based security is that digital certificates and their associated private keys typically have a longer lifecycle than security contexts such as WS Secure Conversation sessions or Kerberos tickets. The ephemeral nature of security contexts restricts (if not eliminates) the ability to audit a message offline long after it's been processed. Once a session has expired, and the associated shared secret is forgotten, encryption can no longer be undone and signatures become meaningless. On the other hand, messages including signatures and encrypted elements that refer to X509 certificates can be saved for later auditing; they can be decrypted later, their signatures can be verified.