WS-Security
Encyclopedia
WS-Security is a flexible and feature-rich extension to SOAP to apply security to web service
s. It is a member of the WS-* family of web service specifications and was published by OASIS
.
The protocol specifies how integrity and confidentiality can be enforced on messages and allows the communication of various security token formats, such as SAML, Kerberos, and X.509
. Its main focus is the use of XML Signature
and XML Encryption
to provide end-to-end security.
The specification allows a variety of signature formats, encryptions algorithms and multiple trust domains, and is open to various security token models, such as:
The token formats and semantics are defined in the associated profile documents.
WS-Security incorporates security features in the header of a SOAP message, working in the application layer
.
These mechanisms by themselves do not provide a complete security solution for Web services. Instead, this specification is a building block that can be used in conjunction with other Web service extensions and higher-level application-specific protocols to accommodate a wide variety of security models and security technologies. In general, WSS by itself does not provide any guarantee of security. When implementing and using the framework and syntax, it is up to the implementor to ensure that the result is not vulnerable.
Key management, trust bootstrapping, federation and agreement on the technical details (ciphers, formats, algorithms) is outside the scope of WS-Security.
is to write transactions to an audit trail, that is subject to specific security safeguards. However, if the audit trail is not sufficient, digital signatures may provide a better method to enforce non-repudiation. WS-Security can provide this.
or SMTP could be used; in this case end-to-end security would be required.
An evaluation in 2005 measured 25 types of SOAP messages of different size and complexity processed by WSS4J with both WS-Security and WS-SecureConversation on a Pentium 4/2,8 GHz CPU.
Some findings were:
Another benchmark in 2006 resulted in this comparison:
The protocol was originally developed by IBM
, Microsoft
, and VeriSign
. Their original specification was published on April 5, 2002, and was followed up by an addendum on August 18, 2002.
In 2002, 2 proposals were submitted to the OASIS WSS Technical Committee: Web Service Security (WS-Security) and Web Services Security Addendum. As a result, WS-Security was published:
The version 1.0 standard published by OASIS contained a number of significant differences to the standard proposed by the IBM, Microsoft and VeriSign consortium. Many systems were developed using the proposed standard and the differences made them incompatible with systems developed to the OASIS standard.
Some refer to the pre-OASIS specification as the "WS-Security Draft 13", or as the Web Services Security Core Specification. However these names are not widely known and indeed today it is hard to clearly identify whether an application or server is using a pre- or post-OASIS specification. Most forum posts use the keyword "WSSE" to refer to the pre-OASIS version because it mandated the use of a "wsse" XML namespace
prefix to the url (and similar urls of different versions).
The protocol is currently officially called WSS and developed via committee in Oasis-Open.
The following approved specifications are associated with WS-Security:
The following architectures make use of WS-Security
and data integrity
can also be enforced on Web services through the use of Transport Layer Security
(TLS), for example, by sending messages over https
. WS-Security however addresses the wider problem of maintaining integrity and confidentiality of messages until after a message was sent from the originating node, providing so called end to end security
.
Applying TLS can significantly reduce the overhead involved by removing the need to encode keys and message signatures into XML
before sending. A challenge in using TLS would be if messages needed to go through an application level proxy server
, as it would need to be able to see the request for routing. In such an example, the server would see the request coming from the proxy, not the client; this could be worked around by having the proxy have a copy of the client's key and certificate, or by having a signing certificate trusted by the server, with which it could generate a key/certificate pair matching those of the client. However, as the proxy is operating on the message, it does not ensure end-to-end security, but only ensures point-to-point security.
Web service
A Web service is a method of communication between two electronic devices over the web.The W3C defines a "Web service" as "a software system designed to support interoperable machine-to-machine interaction over a network". It has an interface described in a machine-processable format...
s. It is a member of the WS-* family of web service specifications and was published by OASIS
OASIS (organization)
The Organization for the Advancement of Structured Information Standards is a global consortium that drives the development, convergence and adoption of e-business and web service standards...
.
The protocol specifies how integrity and confidentiality can be enforced on messages and allows the communication of various security token formats, such as SAML, Kerberos, and X.509
X.509
In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
. Its main focus is the use of XML Signature
XML Signature
XML Signature defines an XML syntax for digital signatures and is defined in the W3C recommendation . Functionally, it has much in common with PKCS#7 but is more extensible and geared towards signing XML documents...
and XML Encryption
XML Encryption
XML Encryption, also known as XML-Enc, is a specification, governed by a W3C recommendation, that defines how to encrypt the contents of an XML element....
to provide end-to-end security.
Features
WS-Security describes three main mechanisms:- How to sign SOAP messages to assure integrity. Signed messages also provide non-repudiationNon-repudiationNon-repudiation refers to a state of affairs where the purported maker of a statement will not be able to successfully challenge the validity of the statement or contract. The term is often seen in a legal setting wherein the authenticity of a signature is being challenged...
. - How to encrypt SOAP messages to assure confidentiality.
- How to attach security tokens to ascertain the sender's identity .
The specification allows a variety of signature formats, encryptions algorithms and multiple trust domains, and is open to various security token models, such as:
- X.509 certificates
- Kerberos tickets
- UserID/Password credentials
- SAML-Assertion
- Custom defined token
The token formats and semantics are defined in the associated profile documents.
WS-Security incorporates security features in the header of a SOAP message, working in the application layer
Application layer
The Internet protocol suite and the Open Systems Interconnection model of computer networking each specify a group of protocols and methods identified by the name application layer....
.
These mechanisms by themselves do not provide a complete security solution for Web services. Instead, this specification is a building block that can be used in conjunction with other Web service extensions and higher-level application-specific protocols to accommodate a wide variety of security models and security technologies. In general, WSS by itself does not provide any guarantee of security. When implementing and using the framework and syntax, it is up to the implementor to ensure that the result is not vulnerable.
Key management, trust bootstrapping, federation and agreement on the technical details (ciphers, formats, algorithms) is outside the scope of WS-Security.
Transport Layer Security (Without WS-Security)
The typical SOAP use case with a communication between trusted peers (using HTTPS) does not need WS-Security at all. It is described in Alternative, and reduces complexity and improves performance.End-to-end security
If a SOAP intermediary is required, and the intermediary is not or less trusted, messages need to be signed and optionally encrypted. This might be the case of an application level proxy at a network perimeter, that will terminate TCP connections.Non-Repudiation
The standard method for non-repudiationNon-repudiation
Non-repudiation refers to a state of affairs where the purported maker of a statement will not be able to successfully challenge the validity of the statement or contract. The term is often seen in a legal setting wherein the authenticity of a signature is being challenged...
is to write transactions to an audit trail, that is subject to specific security safeguards. However, if the audit trail is not sufficient, digital signatures may provide a better method to enforce non-repudiation. WS-Security can provide this.
Alternative transport bindings
Although almost all SOAP services implement HTTP bindings, in theory other bindings such as JMSJava Message Service
The Java Message Service API is a Java Message Oriented Middleware API for sending messages between two or more clients. JMS is a part of the Java Platform, Enterprise Edition, and is defined by a specification developed under the Java Community Process as JSR 914...
or SMTP could be used; in this case end-to-end security would be required.
Reverse proxy/common security token
Even if the web service relies upon transport layer security, it might be required for the service to know about the end user, if the service is relayed by a (HTTP-) reverse proxy. A WSS-header could be used to convey the end user's token, vouched for by the reverse proxy.Issues
- If there are frequent message exchanges between service provider and consumer, the overhead of XML SIG and XML ENC are significant. If end-to-end security is required, a protocol like WS-SecureConversationWS-SecureConversationWS-SecureConversation is a Web Services specification, created by IBM and others, that works in conjunction with WS-Security, WS-Trust and WS-Policy to allow the creation and sharing of security contexts...
may reduce the overhead. If sufficient, use only encryption or signing, as the combination of both is significantly slower than the mere sum of the single operations. See Performance below. - The merging of several XML-schemata like SOAP, SAML, XML ENC, XML SIG might cause dependencies on different versions of library functions like canonicalization and parsing, that are difficult to manage in an application server.
Performance
WS-Security adds significant overhead to SOAP-processing due to the increased size of the message on the wire, XML and cryptographic processing, requiring faster CPUs and more memory and bandwidth.An evaluation in 2005 measured 25 types of SOAP messages of different size and complexity processed by WSS4J with both WS-Security and WS-SecureConversation on a Pentium 4/2,8 GHz CPU.
Some findings were:
- Encryption was faster than signing
- Encryption and signing together were 2-7 times slower than signing alone and produced significantly bigger documents.
- Depending on the type of message, WS-SecureConversation either made no difference or reduced processing time by half in the best case.
- It took less than 10 milliseconds to sign or encrypt up to an array of 100 kilo bytes, but it took about 100~200 to perform the security operations for SOAP.
Another benchmark in 2006 resulted in this comparison:
| Security Mechanism | Messages/second |
|---|---|
| WS-Security (X.509) XML Signature & Encryption | 352 |
| WS-SecureConversation XML Signature & Encryption | 798 |
| Transport Layer Security | 2918 |
History
Web services initially relied on the underlying transport security. In fact, most implementations still do. As SOAP allows for multiple transport bindings, such as HTTP and SMTP, a SOAP-level security mechanism was needed. The lack of end-to-end security because of the dependence on transport security was another factor.The protocol was originally developed by IBM
IBM
International Business Machines Corporation or IBM is an American multinational technology and consulting corporation headquartered in Armonk, New York, United States. IBM manufactures and sells computer hardware and software, and it offers infrastructure, hosting and consulting services in areas...
, Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
, and VeriSign
VeriSign
Verisign, Inc. is an American company based in Dulles, Virginia that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the .com, .net, and .name generic top-level domains and the .cc and .tv country-code...
. Their original specification was published on April 5, 2002, and was followed up by an addendum on August 18, 2002.
In 2002, 2 proposals were submitted to the OASIS WSS Technical Committee: Web Service Security (WS-Security) and Web Services Security Addendum. As a result, WS-Security was published:
- WS-Security 1.0 was released on April 19, 2004
- Version 1.1 was released on February 17, 2006
The version 1.0 standard published by OASIS contained a number of significant differences to the standard proposed by the IBM, Microsoft and VeriSign consortium. Many systems were developed using the proposed standard and the differences made them incompatible with systems developed to the OASIS standard.
Some refer to the pre-OASIS specification as the "WS-Security Draft 13", or as the Web Services Security Core Specification. However these names are not widely known and indeed today it is hard to clearly identify whether an application or server is using a pre- or post-OASIS specification. Most forum posts use the keyword "WSSE" to refer to the pre-OASIS version because it mandated the use of a "wsse" XML namespace
XML Namespace
xmlns tagged XML namespaces are used for providing uniquely named elements and attributes in an XML document. They are defined in a W3C recommendation. An XML instance may contain element or attribute names from more than one XML vocabulary...
prefix to the url (and similar urls of different versions).
The protocol is currently officially called WSS and developed via committee in Oasis-Open.
Associated specifications
The following draft specifications are associated with WS-Security:- WS-FederationWS-FederationWS-Federation is an Identity Federation specification, developed by BEA Systems, BMC Software, CA Inc., IBM, Layer 7 Technologies, Microsoft, Novell, Ping Identity, and VeriSign...
- WS-Privacy
- WS-Test
The following approved specifications are associated with WS-Security:
- WS-PolicyWS-PolicyWS-Policy is a specification that allows web services to use XML to advertise their policies and for web service consumers to specify their policy requirements.WS-Policy is a W3C recommendation as of September 2007....
- WS-SecureConversationWS-SecureConversationWS-SecureConversation is a Web Services specification, created by IBM and others, that works in conjunction with WS-Security, WS-Trust and WS-Policy to allow the creation and sharing of security contexts...
- WS-TrustWS-TrustWS-Trust is a WS-* specification and OASIS standard that provides extensions to WS-Security, specifically dealing with the issuing, renewing, and validating of security tokens, as well as with ways to establish, assess the presence of, and broker trust relationships between participants in a secure...
- ID-WSFID-WSFID-WSF - Identity Web Services Framework =Identity Web Services Framework is a protocol stack that profiles WS-Security, WS-Addressing, SAML andadds new protocol specifications of its own, such as the Discovery Service, for open market per user service...
The following architectures make use of WS-Security
- TAS3TAS3TAS3 - Trusted Architecture for Securely Shareable Services, with PrivacyTAS3 Architecture is a result of European Commission FP7 project ofthe same name . It is a holistic, yet concrete,...
See also
- .NET Web Services EnhancementsWeb Services EnhancementsWeb Services Enhancements is an add-on to the Microsoft .NET Framework which includes a set of classes that implement additional WS-* web service specifications chiefly in areas such as security, reliable messaging, and sending attachments. Web services are business logic components which provide...
- List of Web service specifications (WS-*)
- SAMLSAMLSecurity Assertion Markup Language is an XML-based open standard for exchanging authentication and authorization data between security domains, that is, between an identity provider and a service provider...
- Web serviceWeb serviceA Web service is a method of communication between two electronic devices over the web.The W3C defines a "Web service" as "a software system designed to support interoperable machine-to-machine interaction over a network". It has an interface described in a machine-processable format...
- WS-I Basic Security ProfileWS-I Basic ProfileThe WS-I Basic Profile , a specification from the Web Services Interoperability industry consortium , provides interoperability guidance for core Web Services specifications such as SOAP, WSDL, and UDDI...
- X.509X.509In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
- XACMLXACMLXACML stands for eXtensible Access Control Markup Language. The standard defines a declarative access control policy language implemented in XML and a processing model describing how to evaluate authorization requests according to the rules defined in policies.As a published standard...
- XML EncryptionXML EncryptionXML Encryption, also known as XML-Enc, is a specification, governed by a W3C recommendation, that defines how to encrypt the contents of an XML element....
- XML firewallXML firewallAn XML firewall is a specialized device used to protect applications exposed through XML based interfaces like WSDL and REST and scan XML traffic coming in and out of an organization...
Alternative
In point-to-point situations confidentialityConfidentiality
Confidentiality is an ethical principle associated with several professions . In ethics, and in law and alternative forms of legal resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to...
and data integrity
Data integrity
Data Integrity in its broadest meaning refers to the trustworthiness of system resources over their entire life cycle. In more analytic terms, it is "the representational faithfulness of information to the true state of the object that the information represents, where representational faithfulness...
can also be enforced on Web services through the use of Transport Layer Security
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
(TLS), for example, by sending messages over https
Https
Hypertext Transfer Protocol Secure is a combination of the Hypertext Transfer Protocol with SSL/TLS protocol to provide encrypted communication and secure identification of a network web server...
. WS-Security however addresses the wider problem of maintaining integrity and confidentiality of messages until after a message was sent from the originating node, providing so called end to end security
End-to-end
End-to-end or End to End may refer to:*Land's End to John o'Groats, the journey from "End to End" across Great Britain*End-to-end auditable voting systems, a voting system*End-to-end principle, a principal design element of the Internet...
.
Applying TLS can significantly reduce the overhead involved by removing the need to encode keys and message signatures into XML
XML
Extensible Markup Language is a set of rules for encoding documents in machine-readable form. It is defined in the XML 1.0 Specification produced by the W3C, and several other related specifications, all gratis open standards....
before sending. A challenge in using TLS would be if messages needed to go through an application level proxy server
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
, as it would need to be able to see the request for routing. In such an example, the server would see the request coming from the proxy, not the client; this could be worked around by having the proxy have a copy of the client's key and certificate, or by having a signing certificate trusted by the server, with which it could generate a key/certificate pair matching those of the client. However, as the proxy is operating on the message, it does not ensure end-to-end security, but only ensures point-to-point security.
External links
- OASIS Web Services Security TC (Contains links to download specification documents)
- WS-Security Specification (IBM)
- WS-I Basic Security Profile
- Web Services Security Documentation
- Web Service Security Patterns (Microsoft)
- WSS4J (WS-Security Java Implementation from Apache)
- Apache Rampart (WS-Security Java Implementation from Apache Axis2)
- WSIT Web Services Interoperability Technologies (WSIT) that enable interoperability between the Java platform and Windows Communication Foundation (WCF)
- python ws-security example