[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

RE: Slides from "Web Services Security Issues"

• To: "Bullard, Claude L \(Len\)" <len.bullard@i...>
• Subject: RE: Slides from "Web Services Security Issues"
• From: Rich Salz <rsalz@d...>
• Date: Thu, 19 Aug 2004 22:58:21 -0400 (EDT)
• Cc: "xml-dev@l..." <xml-dev@l...>
• In-reply-to: <15725CF6AFE2F34DB8A5B4770B7334EE03F9FB84@h...>

> Does encryption and digital signing increase the need for bandwidth or
> the need for CPU power and battery life?

Well, let's see.  For an RSA signature (most common; we'll ignore Kerberos
or other shared-secret HMAC stuff), the binary signature will be the same
as the key size; call it 1K bits.  Then you have to make it base64 and wrap a
few tags and identifying information around it, so call it 250 bytes.
If you add the cert call it 2K bytes; if you add just a ref to the cert
that the recipient can decode, call it 350 bytes.

For XML Encryption, the session key will be RSA encrypted, which is same
as the signature.  Then the data itself will end up as binary, which then
needs to be base64, so assume the data grows by 4/3 in addition to the key
exchange.

So that's the data size.  For processing, decryption isn't bad.  You need
to decrypt the key, then decrypt the bulk data.  Most bulk encryptions are
pretty efficient these days; the AES in particular had that as a design goal.

Verifying an XML signature is harder. You typically have to canonicalize
the input and run it through SHA1 digest.  Doing c14n is fairly expensive;
you have to pretty much walk your parse tree (or stream and output) a
second time.

As for battery life?  Well, a typical laptop can probably handle XML
signature and encryption okay, but only because the load is human-driven.

But for a server?  You want what we sell. :)  We're the fastest XML security
devices around.  I mention that not just because I'm watching _American
Chopper_ on TV right now, but because speed is a security *enabler.*
If things are too slow, you can't afford to do things like schema validation
and crypto, and you really want to do them...
        /r$
--
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
XML Security Overview      http://www.datapower.com/xmldev/xmlsecurity.html

• References:
  • RE: Slides from "Web Services Security Issues"
    • From: "Bullard, Claude L (Len)" <len.bullard@i...>

• Prev by Date: RE: Are people really using Identity constraints specif ied in XML schema?
• Next by Date: RE: Are people really using Identity constraints specified in XML schema?
• Previous by thread: RE: Slides from "Web Services Security Issues"
• Next by thread: RE: Slides from "Web Services Security Issues"
• Index(es):
  • Date
  • Thread