3 Introduction to WS- SecureConversation Why introduce WS-SecureConversation? Consider the functions of WS-Security –message integrity –message confidentiality –single message authentication
4 Introduction to WS- SecureConversation What if senders and receivers need to exchange multiple messages?
5 Introduction to WS- SecureConversation A Feasible Solution –Encrypt all messages with a security token issued by a token issuing service. Drawback: the size of each message can become a performance bottleneck.
6 Introduction to WS- SecureConversation A Better Solution –WS-SecureConvsation Similar to SSL Introduce a security context A SecurityContextToken is applied. Once created, the messages are smaller and can be processed faster by both ends.
7 Introduction to WS- SecureConversation Goals –Define how security contexts are established –Specify how derived keys are computed and passed Non-Goals –Define how trust is established or determined—that is done by WS-Trust
13 Establishing Security Context A security context needs to be created and shared by the communicating parties before being used. How? 1.created by a security token service (STS) 2.created by one of the communicating parties and propagated with a message 3.created through negotiation
14 Way 1: Created by STS
15 Example Example wsse:SecurityContextToken wsse:ReqIssue
16 Example Example uuid:......
17 Way 2: Created by One of The Communicating Parties Process –The initiator creates a security context token and sends it to the other parties in a message –The recipient can then choose whether or not to accept the security context token Application –This model works when the sender is trusted to always create a new security context token.
18 Way 3: Created through Negotiation Process –The initiating party sends a request to the other party –A is returned. –Repeat the above 2 steps until a final response containing a and a is received. Application –There is a need to negotiate among the participants on the contents of the security context token, such as the shared secret
20 Deriving Keys Once the context and secret have been established (authenticated), Derived Keys Mechanism can be used to compute derived keys for each key usage in the secure context. Example – Four keys may be derived so that two parties can sign and encrypt using separate keys.
21 Deriving Keys Algorithms –Using a common secret, parties may define different key derivations to use –Default: P_SHA-1 function (referred to as wsse:PSHA1) P_SHA1 (secret, label + seed)
22 Deriving Keys The element is used to indicate that the key for a specific security token is generated from the function of P_SHA-1. Example 2
30 Primary References us/dnglobspec/html/ws-secureconversation.asphttp://msdn.microsoft.com/library/default.asp?url=/library/en- us/dnglobspec/html/ws-secureconversation.asp –Official specification describing WS-SecureConversation us/dnwse/html/wssecdrill.asphttp://msdn.microsoft.com/library/default.asp?url=/library/en- us/dnwse/html/wssecdrill.asp –A good reference that explains how to use Web Services Enhancements 2.0 to implement security, trust, and secure conversations in Web services architecture.
31 Secondary References 9B9A-C5F6-4C95-87B7-FC7AB49B3EDD&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyId=21FB 9B9A-C5F6-4C95-87B7-FC7AB49B3EDD&displaylang=en –The WSE 2.0 technology preview provides early access to new advanced Web services capabilities. –The latest advanced Web services capabilities to keep pace with the evolving Web services protocol specifications.