SSL & WS-Security
SSL (Secure Sockets Layer) = cryptographic protocol which provides secure communications on the Internet (application layer) [TSL (Transport Layer Security) = SSL successor. SSL 3.0 and TSL 1.0 remain substantially the same]
HTTPS = HTTP over SSL
HTTPS = URI Scheme indicating that HTTP is to be used but with a different default port (443) and an additional encryption/authentication layer between HTTP and TCP (SSL). Uses SSL as a sub-layer under the regular HTTP application layer and uses port 443 in its interactions with lower layer.
It only protects the data between the client and the server (not on the server itself).
HTTPS supports the use of X.509 digital certificates from the server so that a user can authenticate the server.
- 1-way SSL (server certificate): Only the server uses a certificate, i.e. server authentication but no client authentication.
- 2-way SSL (client & server certificate): Authentication of both.
- The browser requests secure page (https:// ...)
- The web server sends its public key with its certificate
- The browser checks that the certificate was issued by a trusted third party (CA), that the certificate is valid and that the certificate is related to the site contacted.
- The browser then uses the public key to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.
- The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and the http data.
- The browser decrypts the http data and html document using the symmetric key and displays the information.
WS-Security= WSS = Defines how XML security specificatons are used to encrypt and sign tokens contained in SOAP messages. It provides a level of abstraction to communicate securely using SOAP by
- defining element names for packaging security tokens in SOAP messages [token = an XML representation of security inforation - signed or unsigned]
- providing a conceptual model [concept of "claims" and "tokens", claim = statement about a subject]
WS-Security is situated above SOAP because it provides a means of encrypting and signing portions of SOAP messages, using XML Signature & XML Encryption, and for enclosing security tokens in a SOAP message to represent claims.
Differences between SSL and WS-Security: here. I'll do a recap:
- SSL is easier to implement.
- SSL encrypts at transport level; WS-Security encrypts at message level.
- SSL provides in-transit security only. This means that the request is only encrypted while it is travelling from client to server (or back). If there is a proxy server in front of the web server, the request is decrypted as it reaches it, thus travelling inside the server in undecrypted mode. WS-Security maintains the encryption until the moment when the request is processed.
- Targeted security. SSL secures entire message, with WS-Security we can choose to encrypt only part of a message.