Geeks With Blogs
Clara's Notes on Technology Notes to me and the world

SSL (Secure Sockets Layer) = cryptographic protocol which provides secure communications on the Internet (application layer) [TSL (Transport Layer Security) = SSL successor. SSL 3.0 and TSL 1.0 remain substantially the same]

HTTPS = HTTP over SSL HTTPS = URI Scheme indicating that HTTP is to be used but with a different default port (443) and an additional encryption/authentication layer between HTTP and TCP (SSL). Uses SSL as a sub-layer under the regular HTTP application layer and uses port 443 in its interactions with lower layer. It only protects the data between the client and the server (not on the server itself). HTTPS supports the use of X.509 digital certificates from the server so that a user can authenticate the server.

  • 1-way SSL (server certificate): Only the server uses a certificate, i.e. server authentication but no client authentication.
  • 2-way SSL (client & server certificate): Authentication of both.
How does SSL work (taken from here)?
  1. The browser requests secure page (https:// ...)
  2. The web server sends its public key with its certificate
  3. The browser checks that the certificate was issued by a trusted third party (CA), that the certificate is valid and that the certificate is related to the site contacted.
  4. The browser then uses the public key to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.
  5. The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and the http data.
  6. The browser decrypts the http data and html document using the symmetric key and displays the information.

WS-Security = WSS = Defines how XML security specificatons are used to encrypt and sign tokens contained in SOAP messages. It provides a level of abstraction to communicate securely using SOAP by

  • defining element names for packaging security tokens in SOAP messages [token = an XML representation of security inforation - signed or unsigned]
  • providing a conceptual model [concept of "claims" and "tokens", claim = statement about a subject]

WS-Security is situated above SOAP because it provides a means of encrypting and signing portions of SOAP messages, using XML Signature & XML Encryption, and for enclosing security tokens in a SOAP message to represent claims.

Differences between SSL and WS-Security: here. I'll do a recap:

  • SSL is easier to implement.
  • SSL encrypts at transport level; WS-Security encrypts at message level.
  • SSL provides in-transit security only. This means that the request is only encrypted while it is travelling from client to server (or back). If there is a proxy server in front of the web server, the request is decrypted as it reaches it, thus travelling inside the server in undecrypted mode. WS-Security maintains the encryption until the moment when the request is processed.
  • Targeted security. SSL secures entire message, with WS-Security we can choose to encrypt only part of a message.

Posted on Friday, November 17, 2006 7:51 PM | Back to top

Comments on this post: SSL & WS-Security

# re: SSL & WS-Security
Requesting Gravatar...
toooo gooooooooood
Left by Hanu on Aug 20, 2010 6:59 AM

Your comment:
 (will show your gravatar)

Copyright © Clara Oscura | Powered by: