WS-Security

Last updated August 18, 2023

Web Services Security (WS-Security, WSS) is an extension to SOAP to apply security to Web services. It is a member of the Web service specifications and was published by OASIS.

The protocol specifies how integrity and confidentiality can be enforced on messages and allows the communication of various security token formats, such as Security Assertion Markup Language (SAML), Kerberos, and X.509. Its main focus is the use of XML Signature and XML Encryption to provide end-to-end security.

Features

WS-Security describes three main mechanisms:

How to sign SOAP messages to assure integrity. Signed messages also provide non-repudiation.
How to encrypt SOAP messages to assure confidentiality.
How to attach security tokens to ascertain the sender's identity.

The specification allows a variety of signature formats, encryption algorithms and multiple trust domains, and is open to various security token models, such as:

X.509 certificates,
Kerberos tickets,
User ID/Password credentials,
SAML Assertions, and
custom-defined tokens.

The token formats and semantics are defined in the associated profile documents.

WS-Security incorporates security features in the header of a SOAP message, working in the application layer.

These mechanisms by themselves do not provide a complete security solution for Web services. Instead, this specification is a building block that can be used in conjunction with other Web service extensions and higher-level application-specific protocols to accommodate a wide variety of security models and security technologies. In general, WSS by itself does not provide any guarantee of security. When implementing and using the framework and syntax, it is up to the implementor to ensure that the result is not vulnerable.

Key management, trust bootstrapping, federation and agreement on the technical details (ciphers, formats, algorithms) is outside the scope of WS-Security.

Use cases

End-to-end security

If a SOAP intermediary is required, and the intermediary is not more or less trusted, messages need to be signed and optionally encrypted. This might be the case of an application-level proxy at a network perimeter that will terminate TCP (transmission control protocol) connections.

Non-repudiation

One method for non-repudiation is to write transactions to an audit trail that is subject to specific security safeguards. Digital signatures, which WS-Security supports, provide a more direct and verifiable non-repudiation proof.

Alternative transport bindings

Although almost all SOAP services implement HTTP bindings, in theory other bindings such as JMS or SMTP could be used; in this case end-to-end security would be required.

Reverse proxy/common security token

Even if the web service relies upon transport layer security, it might be required for the service to know about the end user, if the service is relayed by a (HTTP-) reverse proxy. A WSS header could be used to convey the end user's token, vouched for by the reverse proxy.

Issues

If there are frequent message exchanges between service provider and consumer, the overhead of XML SIG and XML ENC are significant. If end-to-end security is required, a protocol like WS-SecureConversation may reduce the overhead. If it's sufficient, use only encryption or signing, as the combination of both is significantly slower than the mere sum of the single operations. See Performance below.
The merging of several XML schemata like SOAP, SAML, XML ENC, XML SIG might cause dependencies on different versions of library functions like canonicalization and parsing, which are difficult to manage in an application server.
If only CBC mode encryption/decryption is applied or if the CBC mode decryption is applied without verifying a secure checksum (signature or MAC) before decryption then the implementation is likely to be vulnerable to padding oracle attacks.^[1]

Performance

WS-Security adds significant overhead to SOAP processing due to the increased size of the message on the wire, XML and cryptographic processing, requiring faster CPUs and more memory and bandwidth.

An evaluation in 2005^[2] measured 25 types of SOAP messages of different size and complexity processed by WSS4J with both WS-Security and WS-SecureConversation on a Pentium 4/2.8 GHz CPU. Some findings were:

Encryption was faster than signing.
Encryption and signing together were 2–7 times slower than signing alone and produced significantly bigger documents.
Depending on the type of message, WS-SecureConversation either made no difference or reduced processing time by half in the best case.
It took less than 10 milliseconds to sign or encrypt up to an array of 100 kilobytes, but it took about 100~200 to perform the security operations for SOAP.

Another benchmark in 2006^[3] resulted in this comparison:

Security mechanism	Messages/second
WS-Security (X.509) XML Signature & Encryption	352
WS-SecureConversation XML Signature & Encryption	798
Transport Layer Security	2918

History

Web services initially relied on the underlying transport security. In fact, most implementations still do^{[ citation needed ]}. As SOAP allows for multiple transport bindings, such as HTTP and SMTP, a SOAP-level security mechanism was needed. The lack of end-to-end security because of the dependence on transport security was another factor.

The protocol was originally developed by IBM, Microsoft, and VeriSign. Their original specification^[4]^[5] was published on 5 April 2002 and was followed up by an addendum^[6] on 18 August 2002.

In 2002, two proposals were submitted to the OASIS WSS Technical Committee:^[7] Web Service Security (WS-Security) and Web Services Security Addendum. As a result, WS-Security was published:

WS-Security 1.0 was released on 19 April 2004.
Version 1.1 was released on 17 February 2006.

The version 1.0 standard published by OASIS contained a number of significant differences to the standard proposed by the IBM, Microsoft and VeriSign consortium. Many systems were developed using the proposed standard and the differences made them incompatible with systems developed to the OASIS standard.

Some refer to the pre-OASIS specification as the "WS-Security Draft 13",^[8] or as the Web Services Security Core Specification. However these names are not widely known and indeed today it is hard to clearly identify whether an application or server is using a pre- or post-OASIS specification. Most forum posts use the keyword "WSSE" to refer to the pre-OASIS version because it mandated the use of a "wsse" XML namespace prefix to the^[9] URL (and similar URLs of different versions).

The protocol is officially called WSS and developed via committee in Oasis-Open.

Associated specifications

The following draft specifications are associated with WS-Security: WS-Federation, WS-Privacy, WS-Test.

The following approved specifications are associated with WS-Security: WS-Policy, WS-SecureConversation, WS-Trust, ID-WSF.

The following architectures make use of WS-Security: TAS3.

Alternative

In point-to-point situations confidentiality and data integrity can also be enforced on Web services through the use of Transport Layer Security (TLS), for example, by sending messages over HTTPS. WS-Security, however, addresses the wider problem of maintaining integrity and confidentiality of messages until after a message is sent from the originating node, providing so-called end to end security.

Applying TLS can significantly reduce the overhead involved by removing the need to encode keys and message signatures into XML before sending. A challenge in using TLS would be if messages needed to go through an application-level proxy server, as it would need to be able to see the request for routing. In such an example, the server would see the request coming from the proxy, not the client; this could be worked around by having the proxy have a copy of the client's key and certificate, or by having a signing certificate trusted by the server, with which it could generate a key/certificate pair matching those of the client. However, as the proxy is not operating on the message, it does not ensure end-to-end security, but only ensures point-to-point security.

Related Research Articles

<span class="mw-page-title-main">SOAP</span> Messaging protocol for web services

SOAP is a messaging protocol specification for exchanging structured information in the implementation of web services in computer networks. It uses XML Information Set for its message format, and relies on application layer protocols, most often Hypertext Transfer Protocol (HTTP), although some legacy systems communicate over Simple Mail Transfer Protocol (SMTP), for message negotiation and transmission.

The Organization for the Advancement of Structured Information Standards is a nonprofit consortium that works on the development, convergence, and adoption of open standards for cybersecurity, blockchain, Internet of things (IoT), emergency management, cloud computing, legal data exchange, energy, content technologies, and other areas.

XML Signature defines an XML syntax for digital signatures and is defined in the W3C recommendation XML Signature Syntax and Processing. Functionally, it has much in common with PKCS #7 but is more extensible and geared towards signing XML documents. It is used by various Web technologies such as SOAP, SAML, and others.

Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. SAML is also:

XML Key Management Specification (XKMS) uses the web services framework to make it easier for developers to secure inter-application communication using public key infrastructure (PKI). XML Key Management Specification is a protocol developed by W3C which describes the distribution and registration of public keys. Services can access an XKMS compliant server in order to receive updated key information for encryption and authentication.

SOA security addresses the issue of combining services in a service-oriented architecture (SOA) in a secure manner. These issues arise as an effect of the main premise of SOA, which is to erase application boundaries and technology differences. Prior to the application of SOA methodologies, security models have traditionally been hardcoded into applications, and when capabilities of an application are opened up for use by other applications, the existing built-in security models may not be good enough.

Apache Axis2 is a web service engine. It is a redesign and re-write of the widely used Apache Axis SOAP stack. Implementations of Axis2 are available in Java and C.

Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between security domains. SAML is a product of the OASIS (organization) Security Services Technical Committee.

Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization identities between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal between a SAML authority, named an Identity Provider, and a SAML consumer, named a Service Provider. SAML 2.0 enables web-based, cross-domain single sign-on (SSO), which helps reduce the administrative overhead of distributing multiple authentication tokens to the user. SAML 2.0 was ratified as an OASIS Standard in March 2005, replacing SAML 1.1. The critical aspects of SAML 2.0 are covered in detail in the official documents SAMLCore, SAMLBind, SAMLProf, and SAMLMeta.

Web Services Enhancements (WSE) is an obsolete add-on to the Microsoft .NET Framework, which includes a set of classes that implement additional WS-* web service specifications chiefly in areas such as security, reliable messaging, and sending attachments. Web services are business logic components which provide functionality via the Internet using standard protocols such as HTTP. Web services communicate via either SOAP or REST messages. WSE provides extensions to the SOAP protocol and allows the definition of custom security, reliable messaging, policy, etc. Developers can add these capabilities at design time using code or at deployment time through the use of a policy file.

WS-Trust is a WS-* specification and OASIS standard that provides extensions to WS-Security, specifically dealing with the issuing, renewing, and validating of security tokens, as well as with ways to establish, assess the presence of, and broker trust relationships between participants in a secure message exchange.

WS-SecurityPolicy is a web services specification, created by IBM and 12 co-authors, that has become an OASIS standard as of version 1.2. It extends the fundamental security protocols specified by the WS-Security, WS-Trust and WS-SecureConversation by offering mechanisms to represent the capabilities and requirements of web services as policies. Security policy assertions are based on the WS-Policy framework.

WS-SecureConversation is a Web Services specification, created by IBM and others, that works in conjunction with WS-Security, WS-Trust and WS-Policy to allow the creation and sharing of security contexts. Extending the use cases of WS-Security, the purpose of WS-SecureConversation is to establish security contexts for multiple SOAP message exchanges, reducing the overhead of key establishment.

The Microsoft Open Specification Promise is a promise by Microsoft, published in September 2006, to not assert its patents, in certain conditions, against implementations of a certain list of specifications.

AS4 is an open standard for the secure and payload-agnostic exchange of Business-to-business documents using Web services. Secure document exchange is governed by aspects of WS-Security, including XML Encryption and XML Digital Signatures. Payload agnosticism refers to the document type not being tied to any defined SOAP action or operation.

<span class="mw-page-title-main">WebSocket</span> Computer network protocol

WebSocket is a computer communications protocol, providing full-duplex communication channels over a single TCP connection. The WebSocket protocol was standardized by the IETF as RFC 6455 in 2011. The current API specification allowing web applications to use this protocol is known as WebSockets. It is a living standard maintained by the WHATWG and a successor to The WebSocket API from the W3C.

Electronic Business using eXtensible Markup Language, commonly known as e-business XML, or ebXML as it is typically referred to, is a family of XML based standards sponsored by OASIS and UN/CEFACT whose mission is to provide an open, XML-based infrastructure that enables the global use of electronic business information in an interoperable, secure, and consistent manner by all trading partners.

WS-Security is a flexible and feature-rich extension to SOAP to apply security to web services. It is a member of the WS-* family of web service specifications and was published by OASIS. Closely related to WS-Security is WS-Trust, also a WS-* specification and OASIS standard that provides extensions to WS-Security.

The SAML metadata standard belongs to the family of XML-based standards known as the Security Assertion Markup Language (SAML) published by OASIS in 2005. A SAML metadata document describes a SAML deployment such as a SAML identity provider or a SAML service provider. Deployments share metadata to establish a baseline of trust and interoperability.

References

↑ Sabarnij, Sergej. "Padding Oracle Attacks – breaking theoretical secure cryptosystems in the real world" (PDF). Ruhr Universität Bochum.
↑ "Hongbin Liu, Shrideep Pallickara, Geoffrey Fox: Performance of Web Services Security" (PDF). Archived from the original (PDF) on 24 February 2021. Retrieved 12 January 2010.
↑ Francois Lascelles, Aaron Flint: WS Security Performance. Secure Conversation versus the X509 Profile
↑ Bob Atkinson, et al.: Web Services Security (WS-Security)
↑ Bob Atkinson, et al.: Web Services Security (WS-Security)
↑ Giovanni Della-Libera, Phillip Hallam-Baker Maryann Hondo: Web Services Security Addendum
↑ OASIS Web Services Security TC
↑ Web Services Security: SOAP Message Security – Working Draft 13
↑ schemas.xmlsoap.org

External links

Web Services Security 1.1.1 (Contains links to download specification documents.)
WS-I Basic Security Profile
Web Services Security Documentation
WSS4J (WS-Security Java Implementation from Apache)
Apache Rampart (WS-Security Java Implementation from Apache Axis2)
WSIT Web Services Interoperability Technologies (WSIT) that enable interoperability between the Java platform and Windows Communication Foundation (WCF)
python ws-security example

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Sabarnij, Sergej. "Padding Oracle Attacks – breaking theoretical secure cryptosystems in the real world" (PDF). Ruhr Universität Bochum.

[Lui-2] "Hongbin Liu, Shrideep Pallickara, Geoffrey Fox: Performance of Web Services Security" (PDF). Archived from the original (PDF) on 24 February 2021. Retrieved 12 January 2010.

[3] Francois Lascelles, Aaron Flint: WS Security Performance. Secure Conversation versus the X509 Profile

[Atkinson-4] Bob Atkinson, et al.: Web Services Security (WS-Security)

[Atkinson-alt-5] Bob Atkinson, et al.: Web Services Security (WS-Security)

[Della-Libera-6] Giovanni Della-Libera, Phillip Hallam-Baker Maryann Hondo: Web Services Security Addendum

[wss-tc-7] OASIS Web Services Security TC

[draft13-8] Web Services Security: SOAP Message Security – Working Draft 13

[9] schemas.xmlsoap.org

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]