WS-SecureConversation Vidya Iyer 3/11/06
Web services
SecureConversation End-to-end security Leverages SSL, and Kerberos Leverages XMLENC and XMLDSIG Establishes contexts for convenient multi-message communication Initial overhead to establish context, then faster communication
Terms Security Token – security related information (ie. X.509 cert, Kerberos ticket, username) Security Context – established authenticated state, and related keys Security Context Token – URI representation of Security Context
Creating Secure Contexts
Changing contexts Amending, Renewing, Cancel contexts Requester sends Amend URI http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Amend And proof of possession of key Recipients authenticate request and update their context Same for Renew, Cancel
Deriving keys Common to use SecureContexts to agree on pseudorandom generators to derive keys Uses DeriveKeyToken syntax Syntax is agnostic to key derivation scheme No need to send key material
Benefits over SSL End-to-end security XML aware Selective encryption Easier to nullify existing contexts
Questions?