| Article found | Fact |
|---|
|
Secure, Reliable, Transacted Web Services [FS03]
|
- Some Web service scenarios only involve the short sporadic exchange of a few messages. WS-Security readily supports this model. Other scenarios involve long duration, multi-message conversations between the Web services. WS-Security also supports this model, but the solution is not optimal.
There are two sub-optimal usages of WS-Security in these scenarios:
- Repeated use of computationally expensive cryptographic operations such as public key validation.
- Sending and receiving many messages using the same cryptographic keys, providing more information that allows brute force attacks to "break the code."
For these reasons, protocols like HTTP/S use public keys to perform a simple negotiation that defines conversation specific keys. This key exchange allows more efficient security implementations and also decreases the amount of information encrypted with a specific set of keys.
WS-SecureConversation provides similar support for WS-Security. Participants often use WS-Security with public keys to start a "conversation" or "session," and use WS-SecureConversation to agree on session specific keys for signing and encrypting information.
|
