An Overview and Evaluation of Web Services Security Performance Optimizations
Total Page:16
File Type:pdf, Size:1020Kb
2008 IEEE International Conference on Web Services An Overview and Evaluation of Web Services Security Performance Optimizations Robert A. van Engelen and Wei Zhang Department of Computer Science, Florida State University, Tallahassee, FL32306 {engelen,wzhang}@cs.fsu.edu Abstract simple services architectures requiring secure messaging, e.g. when two parties communicate over HTTPS, secur- WS-Security is an essential component of the Web ser- ing service-oriented architectures involving many interme- vices protocol stack. WS-Security provides end-to-end se- diary processing nodes poses the problem of an untrusted curity properties (integrity, confidentiality, and authentica- “man-in-the-middle” node. All intermediary nodes must be tion) through open XML standards. End-to-end message trusted to work with TLS, requiring more elaborate key ex- security assures the participation of non-secure transport change mechanisms. Furthermore, TLS requires negotia- intermediaries in message exchanges, which is a key ad- tion via handshake, thereby significantly complicating one- vantage for Web-based systems and service-oriented archi- way message exchange patterns and connectionless mes- tectures. However, point-to-point message security based sage exchanges. For example, Web services may be bound on TLS (Transport Layer Security) is known to significantly to non-HTTP transport layer protocols such as FTP and outperform WS-Security. In this paper we analyze the over- SMTP. head of the WS-Security protocol processing stages and Several authors conducted performance evaluation stud- evaluate existing and new techniques for WS-Security sig- ies of WS-Security. In [3] and also [6] the authors compare nature performance optimizations to speed up end-to-end the performance of WS-Security operations and choices message integrity assurance and authentication. of signature and encryption algorithms to non-secure mes- sages using various message sizes and complexities. In [5] the authors compare the performance of Web Services, WS- 1. Introduction Security, RMI and EMI-SSL extensively. Also in [14] a comparison is made of security mechanisms based on WS-Security, specifically for Grid services. These studies Web Services Security (WS-Security) [11] is an essen- conclude that WS-Security message processing is slow, as tial component of the Web services protocol stack to pro- much as a factor of 100 slower compared to non-secured vide end-to-end integrity, confidentiality, and authentication SOAP/XML messaging. capabilities to Web services. End-to-end message security assures the participation of non-secure transport intermedi- It should be noted that the previously-published results aries in message exchanges, which is a key advantage for assumed worst-case scenarios. Furthermore, the prior work Web systems and service-oriented architectures. does not consider combinations of WS-Security optimiza- WS-Security is based on open W3C-approved XML tions. In this paper we analyze, compare, and combine opti- standards, XML Encryption [22] and XML Signature [23]. mization techniques. We also present a new message digest- These standards are platform neutral, thus promoting in- based caching strategy to further improve WS-Security per- teroperability. As a tradeoff, WS-Security introduces sig- formance. Thus, we study the performance impact of exist- nificant overhead to SOAP/XML-based messaging due to ing and new optimizations in various combinations to gain a the inherent cost of cryptographic operations on XML mes- better understanding of the performance issues and the over- sages and separate message parts requiring XML document all impact of optimizations. Our experimental results show parsing, (re)formatting, and conversion [3, 5, 6]. that specific combinations of optimizations can achieve a By contrast, point-to-point security protocols, such as four-fold increase in speed for WS-Security signatures algo- TLS (Transport Layer Security) [10, 21], are fast but pro- rithms. However, these results also show that TLS remains vide limited security options for Web services. While an order of magnitude more efficient compared to the best the point-to-point limitation is not always detrimental for WS-Security optimization. 978-0-7695-3310-0/08 $25.00 © 2008 IEEE 137 DOI 10.1109/ICWS.2008.102 The remainder of this paper is organized as follows. Sec- Algorithm 1: Digest-based object caching tion 2 gives an overview of existing techniques for WS- Input: XML DS-signed XML message Security performance optimization and presents a message Output: Deserialized objects or signed XML processing error begin digest-based caching strategy to further improve the per- Verify ds:SignatureValue of ds:SignedInfo with the corresponding formance of WS-Security message integrity processing. A HMAC key, or DSA/RSA public keys; if signature is valid then performance evaluation of the optimizations is given in Sec- foreach ds:Reference containing a URI, digest method DM, tion 3. Section 4 summarizes our findings. digest value DV, and URI-referenced element E in the message do if URI is a UUID and DM=SHA1 then Search ID=URI in data store or cache; 2. An Overview of WS-Security Optimizations if ID found with record (ID,HA,Object) and DV=HA then Replace E with deserialized Object; This section describes implementation techniques and else practical usage strategies to optimize WS-Security. Because Compute HA=SHA1(E); if DV6=HA then there is currently no published XML encryption optimiza- fail(); tion for WS-Security, the main focus of the following is on else signature processing. Some of the optimizations are appli- Object = deserialize(E); Add (ID,HA,Object) to data store/cache; cable to encryption, such as the choice of security tokens. end end 2.1. The Choice of Security Tokens else Compute HA=DM(E); if DV6=HA then In [9] the authors study the impact of the Kerberos to- fail(); else ken profile impact on WS-Security performance. The Ker- Object = deserialize(E); beros token profile method increases the packet throughput end by 28% compared to the PKI X.509 token profile under full end end CPU load. While this is impressive, WS-Security message else encryption and signing with HMAC keys can be an order fail(); of magnitude faster compared to RSA/DSA keys, assuming end the X.509 token profile is used. Significant performance end gains can be realized by using keys that incur low overhead, such as HMAC symmetric keys. The performance impact of HMAC versus DSA and RSA algorithms is analyzed and deserialization phase in Web services. The DDS technique discussed in Section 3. exploits similarities between incoming SOAP/XML mes- The obvious disadvantage of HMAC is that symmetric sages to limit deserialization to objects/values that are dif- keys require the establishment of a shared secret. To ad- ferent within a single message and/or across multiple mes- dress this problem, well-established key exchange meth- sages. This is accomplished by comparing checksums of ods should be used to provide a secure mechanism for mu- parts of the inbound message against a cache of previously tually agreeing on a shared secret key. At the transport deserialized objects and their checksums, or by checking level the shared secret key is usually ephemeral, i.e. es- the state transition path of an automaton created by a previ- tablished for the duration of message encryption in point- ous deserialization pass. When a checksum or an automa- to-point TLS [10, 21]. However, in WS-Security the use ton’s state transition path matches, the deserialized object of a (ephemeral) shared secret key token is not straight is retrieved. Thus, an XML message that is identical to a forward, since there is no handshake protocol in WS- previous message does not require deserialization. Security. The WS-SecureConversation [12] specification In the same spirit as DDS, we introduce a digest-based defines extensions to allow security context establishment caching strategy to optimize WS-Security. The digest-based and sharing, and session key derivation, e.g. HMAC keys. caching strategy exploits the hash values of signed XML ob- WS-SecureConversation relies on WS-Trust [13]. Some jects by the WS-Security signature algorithm. The signature schemes use a hashed password of the sender’s credentials algorithm verifies the signature of the set of hash values of as the HMAC key assuming that messages are both authen- signed XML objects. Because the hash value is unchanged ticated and signed. for identical XML objects, previously parsed and deserial- ized XML objects can be retrieved from a cache indexed by 2.2. Digest-Based Caching Strategies digest hash value. Our digest-based caching algorithm is shown in Algo- In [1,15] the authors describe a caching strategy referred rithm 1. A cache is used to store previously deserialized to as “Differential Deserialization” (DDS) to speed up the objects. The cache is indexed by digest hash value (e.g. us- 138 Query key=(ID,HA) ? ID="uuid:550e8400-e29b-41d4-a716-446655440000" on the variability of values in the message exchanges. Mes- HA="qrkvGh87ld5/8QEdRZg6EhWD8nY=" Object=... sage exchanges of repeated values do not require significant memory consumption, since only a few values are stored in ID=..., HA=..., Object=... Shared data the cache. However, if the XML message content varies sig- store or cache . nificantly, then the cache has to be large to hold the content . for future comparisons resulting in huge memory resource Result object ID=..., HA=..., Object=... needs. Figure 1. Digest-based object store. 2.3. Streaming versus Buffering Strategies ing SHA1) and UUID, see Figure 1. Upon parsing an in- WS-Security is typically implemented based on DOM bound message, the algorithm first extracts the IDs and di- construction and manipulation. Constructing and travers- gest hash values of XML elements from the WS-Security ing a DOM tree is inefficient both in terms of processing signature. The corresponding deserialized object is then re- efficiency and memory usage.