Section 13.2. WS-SecureConversation


13.2. WS-SecureConversation

WS-Security is a simple model for message security. It works fine for small numbers of messages exchanged between Web services occasionally. However, WS-Security has two drawbacks when a requester and a Web service engage in a prolonged, multiple-message exchange:

  • Relying on PKI for signatures and encryption is not computationally efficient.

  • Signing large amounts of data with public keys is considered "poor form" and diminishes the security of the key. The more information that's encrypted with a key, the easier it becomes to break the key.

WS-SecureConversation solves these problems by doing for WSS:SOAP Message Security what SSL/TSL did for HTTP/TCP-IP. The endpoints use PKI and WS-Security to exchange a session-specific set of keys. This allows for more efficient encryption and improved security for keys.

The key concepts in WS-SecureConversation are the Security Context and the Security Context Token (SCT). WS-SecureConversation defines the format and schema for an SCT. WS-SecureConversation also defines an extended binding of WS-Trust, which allows Secure Token Servers to generate and return SCTs. In another model, a Web service requester can itself generate an SCT.

Messages within a conversation contain the SCT in a header included by the sending Web service. The SCT contains or implies a shared secret. The requesting Web service obtains the secret from an STS in a RSTR, and then forwards the secret (encrypted) to another service. WS-SecureConversation documents algorithms for using the shared secret to derive session keys to be used for encrypting communication exchanged within the conversation.



    Web Services Platform Architecture(c) SOAP, WSDL, WS-Policy, WS-Addressing, WS-BP[.  .. ] More
    Web Services Platform Architecture(c) SOAP, WSDL, WS-Policy, WS-Addressing, WS-BP[. .. ] More
    ISBN: N/A
    EAN: N/A
    Year: 2005
    Pages: 176

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net