Skip to main content
SpringerLink
Log in

Enhancement of Key Derivation in Web Service Security

Performance Bottleneck in Real-Time Messaging Systems

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

Abstract

Key Derivation is an important part of numerous security standards, the importance of using it was discussed throughout the literature and industry standards. On the other hand, web service security is an area that has not seen substantial research and application for Key Derivation techniques. After studying the Key Derivation techniques which are applied in Web Service Security, we find the applied algorithms and current implementations to be very limited in regard to performance and their work-flow. These limitations introduce performance bottlenecks that can limit their applicability to low power machines and mobile systems or lead to designers compromising on security to meet the quality of service desired. Moreover, this issue becomes more relevant when applied to a high performance and demanding systems such as real-time business process monitoring and messaging systems. This paper explores how Key Derivation is implemented in web services and WS-Security engines, their limitations, the performance overhead it produces and proposes an enhanced Key Derivation work-flow that takes into consideration both security and performance and allows for fine tuning them. The performance of the proposal is tested using a series of benchmarks and the security properties are verified using a well-known validation tool.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

References

  1. Chen, L. (2008). Recommendation for key derivation using pseudorandom functions. NIST Special Publication, 800, 108.

    Google Scholar 

  2. Abdalla, M., & Bellare, M. (2000). Increasing the lifetime of a key: A comparative analysis of the security of re-keying techniques. Advances in Cryptology ASIACRYPT, 2000, 546–559.

    MathSciNet  MATH  Google Scholar 

  3. Adams, C., Kramer, G., Mister, S., & Zuccherato, R. (2004). On the security of key derivation functions. In K. Zhang & Y. Zheng (Eds.), Information security (pp. 134–145). Palo Alto, CA: Springer.

    Chapter  Google Scholar 

  4. Swenson, C. (2012). Modern cryptanalysis: Techniques for advanced code breaking. Hoboken: Wiley.

    Google Scholar 

  5. Retail financial services symmetric key management part 1: Using symmetric techniques. American National Standards Institute ANSI X9.24-1:2009 (2009). https://tools.ietf.org/html/rfc5869.

  6. Alfred, C. W. (2006). Secure sockets layer. Computer, 39(4), 88–90.

    Article  MathSciNet  Google Scholar 

  7. Chan Aldar, C.-F. (2013). On optimal cryptographic key derivation. Theoretical Computer Science, 489, 21–36.

    Article  MathSciNet  MATH  Google Scholar 

  8. Lin, J. C., Huang, K. H., Lai, F., & Lee, H. C. (2009). Secure and efficient group key management with shared key derivation. Computer Standards & Interfaces, 3, 192–208.

    Article  Google Scholar 

  9. Mendel, F., & Standaert, F. X. (2015). Towards fresh and hybrid re-keying schemes with beyond birthday security. In Smart card research and advanced applications: 14th International conference (CARDIS) (Vol. 9514, p. 225). Springer.

  10. Dobraunig, C., Eichlseder, M., Mangard, S., & Mendel, F. (2014). On the security of fresh rekeying to counteract side-channel and fault attacks. In Smart card research and advanced applications (Vol. 8968, pp. 233–244). London: Springer International Publishing.

  11. Rosenberg, J., & David, R. (2004). Securing web services with WS-security: Demystifying WS-security, WS-policy, SAML, XML signature, and XML encryption. Upper Saddle: Pearson Higher Education.

    Google Scholar 

  12. The Axis2 Project, Apache Axis2/Java—Next Generation Web Services [online] (2012). Accessed July 23, 2014. http://axis.apache.org/axis2/java/core/.

  13. Apache Rampart Apache Rampart-Axis2 Security Module [online] (2014). Accessed July 27, 2014. http://axis.apache.org/axis2/java/rampart/.

  14. WebLogic Web Services: Security, Configuring Message-Level Security [online] (2008). Accessed July 13, 2014. http://docs.oracle.com/cd/E13222_01/wls/docs100/webserv_sec/message.html.

  15. IBM Knowledge Center. (2013). Derived key token [online]. Accessed July 27, 2014. http://www-01.ibm.com/support/knowledgecenter/SSAW57_6.1.0/com.ibm.websphere.wsfep.multiplatform.doc/info/ae/ae/cwbs_derivedkeytoken.html?cp=SSAW57_6.1.0%2F7-1-6-3-62&lang=zh-tw.

  16. Mosncek, O. (2015). Key derivation functions and their GPU implementation. BachelorS Thesis, Masaryk University Faculty of Informatics.

  17. Web Services Security UsernameToken Profile 1.1. http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-UsernameTokenProfile.pdf

  18. Krawczyk, H., & Eronen, P. (2010). Hmac-based extract-and-expand key derivation function (hkdf). IETF. https://tools.ietf.org/html/rfc5869.

  19. Krawczyk, H., Canetti, R., & Bellare, M. (1997). Hmac: Keyed-hashing for message authentication. IETF. https://www.ietf.org/rfc/rfc2104.txt.

  20. AlMahmoud, A., Colombo, M., Yeun, C. Y., & Al-Muhairi, H. (2012). Smart authentication for real-time business process monitoring. In International conference for internet technology and secured transactions (Vol. 9514, pp. 253–258). IEEE.

  21. Cremers, C. J. F. (2006). Scyther—Semantics and verification of security protocols. Eindhoven University of Technology, University Press Eindhoven, Ph.D. dissertation

  22. Cremers, C. J. F. (2008). The Scyther Tool: Verification, falsification, and analysis of security protocols. (pp. 414–418). Springer, Computer Aided Verification. Book.

Download references

Author information

Authors and Affiliations

  1. Emirates ICT Innovation Center (EBTIC), Abu Dhabi, UAE

    Abdelrahman AlMahmoud & Maurizio Colombo

  2. Khalifa University of Science and Technology, Abu Dhabi, UAE

    Abdelrahman AlMahmoud, Chan Yeob Yeun & Hassan Al-Muhairi

Authors
  1. Abdelrahman AlMahmoud
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Maurizio Colombo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Chan Yeob Yeun
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hassan Al-Muhairi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Abdelrahman AlMahmoud.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

AlMahmoud, A., Colombo, M., Yeun, C.Y. et al. Enhancement of Key Derivation in Web Service Security. Wireless Pers Commun 97, 5171–5184 (2017). https://doi.org/10.1007/s11277-017-4773-3

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-017-4773-3

Keywords

Search

Navigation