Abstract
Key Derivation is an important part of numerous security standards, the importance of using it was discussed throughout the literature and industry standards. On the other hand, web service security is an area that has not seen substantial research and application for Key Derivation techniques. After studying the Key Derivation techniques which are applied in Web Service Security, we find the applied algorithms and current implementations to be very limited in regard to performance and their work-flow. These limitations introduce performance bottlenecks that can limit their applicability to low power machines and mobile systems or lead to designers compromising on security to meet the quality of service desired. Moreover, this issue becomes more relevant when applied to a high performance and demanding systems such as real-time business process monitoring and messaging systems. This paper explores how Key Derivation is implemented in web services and WS-Security engines, their limitations, the performance overhead it produces and proposes an enhanced Key Derivation work-flow that takes into consideration both security and performance and allows for fine tuning them. The performance of the proposal is tested using a series of benchmarks and the security properties are verified using a well-known validation tool.
Similar content being viewed by others
References
Chen, L. (2008). Recommendation for key derivation using pseudorandom functions. NIST Special Publication, 800, 108.
Abdalla, M., & Bellare, M. (2000). Increasing the lifetime of a key: A comparative analysis of the security of re-keying techniques. Advances in Cryptology ASIACRYPT, 2000, 546–559.
Adams, C., Kramer, G., Mister, S., & Zuccherato, R. (2004). On the security of key derivation functions. In K. Zhang & Y. Zheng (Eds.), Information security (pp. 134–145). Palo Alto, CA: Springer.
Swenson, C. (2012). Modern cryptanalysis: Techniques for advanced code breaking. Hoboken: Wiley.
Retail financial services symmetric key management part 1: Using symmetric techniques. American National Standards Institute ANSI X9.24-1:2009 (2009). https://tools.ietf.org/html/rfc5869.
Alfred, C. W. (2006). Secure sockets layer. Computer, 39(4), 88–90.
Chan Aldar, C.-F. (2013). On optimal cryptographic key derivation. Theoretical Computer Science, 489, 21–36.
Lin, J. C., Huang, K. H., Lai, F., & Lee, H. C. (2009). Secure and efficient group key management with shared key derivation. Computer Standards & Interfaces, 3, 192–208.
Mendel, F., & Standaert, F. X. (2015). Towards fresh and hybrid re-keying schemes with beyond birthday security. In Smart card research and advanced applications: 14th International conference (CARDIS) (Vol. 9514, p. 225). Springer.
Dobraunig, C., Eichlseder, M., Mangard, S., & Mendel, F. (2014). On the security of fresh rekeying to counteract side-channel and fault attacks. In Smart card research and advanced applications (Vol. 8968, pp. 233–244). London: Springer International Publishing.
Rosenberg, J., & David, R. (2004). Securing web services with WS-security: Demystifying WS-security, WS-policy, SAML, XML signature, and XML encryption. Upper Saddle: Pearson Higher Education.
The Axis2 Project, Apache Axis2/Java—Next Generation Web Services [online] (2012). Accessed July 23, 2014. http://axis.apache.org/axis2/java/core/.
Apache Rampart Apache Rampart-Axis2 Security Module [online] (2014). Accessed July 27, 2014. http://axis.apache.org/axis2/java/rampart/.
WebLogic Web Services: Security, Configuring Message-Level Security [online] (2008). Accessed July 13, 2014. http://docs.oracle.com/cd/E13222_01/wls/docs100/webserv_sec/message.html.
IBM Knowledge Center. (2013). Derived key token [online]. Accessed July 27, 2014. http://www-01.ibm.com/support/knowledgecenter/SSAW57_6.1.0/com.ibm.websphere.wsfep.multiplatform.doc/info/ae/ae/cwbs_derivedkeytoken.html?cp=SSAW57_6.1.0%2F7-1-6-3-62&lang=zh-tw.
Mosncek, O. (2015). Key derivation functions and their GPU implementation. BachelorS Thesis, Masaryk University Faculty of Informatics.
Web Services Security UsernameToken Profile 1.1. http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-UsernameTokenProfile.pdf
Krawczyk, H., & Eronen, P. (2010). Hmac-based extract-and-expand key derivation function (hkdf). IETF. https://tools.ietf.org/html/rfc5869.
Krawczyk, H., Canetti, R., & Bellare, M. (1997). Hmac: Keyed-hashing for message authentication. IETF. https://www.ietf.org/rfc/rfc2104.txt.
AlMahmoud, A., Colombo, M., Yeun, C. Y., & Al-Muhairi, H. (2012). Smart authentication for real-time business process monitoring. In International conference for internet technology and secured transactions (Vol. 9514, pp. 253–258). IEEE.
Cremers, C. J. F. (2006). Scyther—Semantics and verification of security protocols. Eindhoven University of Technology, University Press Eindhoven, Ph.D. dissertation
Cremers, C. J. F. (2008). The Scyther Tool: Verification, falsification, and analysis of security protocols. (pp. 414–418). Springer, Computer Aided Verification. Book.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
AlMahmoud, A., Colombo, M., Yeun, C.Y. et al. Enhancement of Key Derivation in Web Service Security. Wireless Pers Commun 97, 5171–5184 (2017). https://doi.org/10.1007/s11277-017-4773-3
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-017-4773-3