Why use WS
Chris Seary Computing Ltd
What is WS
elements within an
XML SOAP document
held by OASIS (
, describes how the
ferent elements are applied
the XML from
a basic SOAP me
thod, sent within an HTTP POST.
Now, here is a call to
the same method, but this time using WS
Security to add
In this example, you can see the <wsse:UsernameToken> element, which holds the
username and password.
The advantage of using a
standard schema for adding s
ecurity to a
message is that
this is a
format, readable by all compliant systems across the internet. Without a
standard format, every web service would have to
code to perform these
is a standard format, components
have been written by manufacturers such as Sun
and Microsoft to add security
with a minimum of configuration.
Other options for securing communications
There has been a lot of confusion arising from the way that
newer web security
e described. As WS
Security emerged, often developers would refer to this as
application layer security, and more traditional protocols such as IPSec and SSL were
to as transport layer security.
The TCP/IP stack used for network communications be
tween hosts has a number of
As you can see, the protocol stack already has both an application layer and a
These different layers in the protocol stack offer security for confidentiality,
authentication and integrity.
two mechanisms traditionally
used by developers when architecting secure
communications are SSL and IPSec.
SSL is usually implemented by configuring the web service in Internet Information
Services (IIS). A certificate, with the subject name matching the web site, is passed to the
client. The client then
generates a symmetric key, which is sent back to the web
encrypted with the public key from the certificate. Only the web server, with its private
key matching the public key of the certificate, can decrypt this symmetric key. The
symmetric key is then used for secure communications during the request.
To perform similar authentication to the WS
and password would be passed in the HTTP variables. The web server would authenticate
the user against Active Directory.
IPSec uses the Diffie
Hellman key exchange algo
rithm. Each of the two servers
communicating passes key material to contribute to the secure creation of a symmetric
key. This key is then used to encrypt specific types of traffic passing between the two
servers. Security Associations are created on each
if there are matching Security
Associations on each server, then security is applied.
Some of processing power required for IPSec encryption can be offloaded onto specially
designed Network Interface Cards.
IPSec and SSL are examples of security provided by networ
king protocols. WS
is sometimes called a wire format, as it is the actual message that is directly secured.
Which to use: IPSec, SSL or WS
It’s important to match the security functionality provided by these different technologies
the different security functionality generally required by
If it’s necessary to ensure that data has not bee
n tampered with during transit, then
is used to provide integrity. IPSec, SSL and WS
Security all provide this.
IPSec uses Authentication Headers (AH) mode, which adds a hash of the data to the
generates and shares
mmetric key when negotiating the connection, and
so no other party can decrypt what is being sent. This means it cannot be altered without
the receiving party being aware.
Security can be used to digitally sign either a part or the whole of a message.
All three also provide confidentiality.
IPSec uses Encapsulating Security Payloads to encrypt all data sent with the symmetric
during the Diffie Hellman exchange.
SSL, as stated before, securely passes a symmetric key betwe
en client and server
every request. This means that e
ach request is
encrypted with a unique key.
Security can encrypt the entire contents of the <body> or <header> elements, or
both. It is also able to encrypt only part of the message
t one element. What
is the advantage of this?
There are an increasing number of networks using Intrusion Detection Systems (IDS).
These systems monitor the type, source and destination of packets moving across the
network, inspecting their contents.
, if an IDS is present, the
security architect in charge of the network
not allow traffic to be encrypted by IPSec
or SSL, as the traffic cannot be inspected due to encryption.
Security gives the benefit of allowing small parts of t
he data (perhaps name, userid)
to be encrypted, leaving the rest of the communication in the clear. This would leave the
IDS able to perform its functionality while still giving the necessary level of
s that someone cannot deny having done something. In this case, if
a message has been sent by one party to another (across a network), it may be necessary
to hold the originating party to what they have
be the case in a
Digital signatures not only provide integrity, they can provide non
repudiation when PKI
certificates are used.
Neither SSL nor IPSec offer this service. However, WS
Security does, allowing you to
sign all or just a part of a SOAP message.
Anyone who has had to implement digital signatures will appreciate how easy it is to
configure this via web service policy.
IPSec functions at the network layer of the TCP/IP stack, and so it only authenticates
hosts, rather than users. Whe
n SSL is used with a web server, credentials can be passed,
users to be identified. Credentials can also be passed via WS
IPSec authenticates computers using either Kerberos, certificates or shared password (the
st one is only recommended for testing purposes).
SSL has a richer authentication mechanism
username/password, certificates, digest,
passport, Windows. Each of these authenticates against Active Directory.
Security has all of the authentication mech
anisms available to SSL, but the
authentication model is pluggable. Custom providers can be written to handle checking of
What’s the advantage of this? When creating
a standard .aspx web site
, if one wishes to
use a database for h
olding users, Forms authentication is available. The authentication
, substituting a custom SQL database for Active Directory
Security and custom provider
this type of flexibility to web services.
WSE and WCF implement
ations allow the asp.net membership providers to be used
he SQL database
that comes with these providers
can be quickly
a web service.
The table below gives an overview of the security functionality provided by each of
IPSec, SSL and WS
Security, although it is quite verbose, offers non
repudiation and a customizable
, which the other two technologies do no
It also allows fine
security to be applied to individual sections of the SOAP document.
addition of digital
or a custom
As stated at the beginning of this piece, to get the most out of these tools it’s best to
capabilities to requirements.
If you need non
or fine grain security
, only WS
Security will satisfy your
Security and WS
Trust are fundamental to WS
Federation, allowing Single Sign O
and Identity Management technologies to exist across the internet.