Comments on: WS-Security versus SOA over SSL http://cosine.org/2007/10/25/wss-vs-ssl/ Life and Ruby and Security Sun, 11 Dec 2011 12:10:10 +0000 hourly 1 http://wordpress.org/?v=3.0.3 By: Cosine Jeremiah http://cosine.org/2007/10/25/wss-vs-ssl/comment-page-1/#comment-404 Cosine Jeremiah Sat, 27 Oct 2007 21:33:21 +0000 http://www.cosine.org/2007/10/25/wss-vs-ssl/#comment-404 It is true one could use WS-Security in a mode that would spare the use of some of the asymmetric encryption, but I think the ideal of doing things with the most stringent security would have both encryption and signing certificates used by both the client and the server. Thus I did not really consider doing it any other way for the purpose of this comparison. The asymmetric encryption used to protect the message is always just to encrypt a symmetric encryption key that is used to encrypt the actual contents of the message, as you said (and like SSL as you also said). Even so, that little bit of asymmetric encryption gets expensive when multiplied by a heavy load of messages. The symmetric encryption computation time, on the other hand, is cake by comparison. Let me know if your understanding is different. It is true one could use WS-Security in a mode that would spare the use of some of the asymmetric encryption, but I think the ideal of doing things with the most stringent security would have both encryption and signing certificates used by both the client and the server. Thus I did not really consider doing it any other way for the purpose of this comparison.

The asymmetric encryption used to protect the message is always just to encrypt a symmetric encryption key that is used to encrypt the actual contents of the message, as you said (and like SSL as you also said). Even so, that little bit of asymmetric encryption gets expensive when multiplied by a heavy load of messages. The symmetric encryption computation time, on the other hand, is cake by comparison.

Let me know if your understanding is different.

]]> By: Ryan http://cosine.org/2007/10/25/wss-vs-ssl/comment-page-1/#comment-352 Ryan Fri, 26 Oct 2007 02:13:04 +0000 http://www.cosine.org/2007/10/25/wss-vs-ssl/#comment-352 Good summary. You do seem to be forgetting or missing one of the modes WS-Security can operate in. "whereas WS-Security needs to perform asymmetric key encryption on each message (one computation for handling encryption and one computation for handling the signature)" While you can't get away from the need for a server certificate, you can use WS-Security without a client certificate, and you often will use symmetric encryption as part of the message. You're right that you'll definitely use asymmetric in the message, but it might be used just for key exchange like SSL. Actually I think this is the more common usage. Of course it's still per message. Good summary. You do seem to be forgetting or missing one of the modes WS-Security can operate in.

“whereas WS-Security needs to perform asymmetric key encryption on each message (one computation for handling encryption and one computation for handling the signature)”

While you can’t get away from the need for a server certificate, you can use WS-Security without a client certificate, and you often will use symmetric encryption as part of the message. You’re right that you’ll definitely use asymmetric in the message, but it might be used just for key exchange like SSL. Actually I think this is the more common usage. Of course it’s still per message.

]]>