Thanks for the link to the performance paper. This paper has some wrong statements worth being noted:
Chapter 5.3, item 3 states: "Encrypt the whole shebang (UsernameToken + timestamp + nonce) with the RSA private key of the client." To be precise here: WSS uses a symmetrical cipher to encrypt the "whole shebang", WSS generates a random key for this symmetrical cipher and encrypts only this random key with RSA Chapter 6, Figure 1: The description of figure 1 is not correct with respect to "mod 2". The document states: "Mod 2: UsernameToken + timestamp + nonce together encrypted with the RSA client's private key;" This is wrong. The client uses the server's public key to encrypt the random key used to encrypt the "whole shebang" :-) . This has several impacts to the shown figures and explains the big difference between mod2 and mod3: - encrypting with a public key is much faster then encrypting with a private key (this is an attribute of most public key algos) - decryption in RSA even with the private key is faster than encryption After all, mod2 is "moderate" in terms of encryption/decryption overhead. Mod 3 uses Signature which implies RSA encryption of the signature hash with the client's private key - which is time consuming. This explains the big difference between the two modes Chapter 7, point 1 states: "One should completely free the security package from the subordinate Web service engine. For example wss4j works only with the Axis Web service engine. This is understandable from a developer's point of view but a poor design choice" This is completely wrong - the WSS4J security library is independent of Axis (at that point in time Axis 1). Only the handlers are dependent of the unerlyin SOAP engine - WSS4J included a handler for Axis-1 and a handler according the Java JCP standards, independent of Axis-1. Also Axis-2 uses WSS4J - and Axis-2 has a complete different implemetation how to integrate "handlers" (interceptors) and how to deploy. Regards, Werner > -----Original Message----- > From: ext Ostermueller, Erik [mailto:[EMAIL PROTECTED] > Sent: Monday, October 13, 2008 8:23 PM > To: jimmy Zhang; Werner Dittmann > Cc: [EMAIL PROTECTED]; [email protected] > Subject: RE: WSS4J 1.5.4 Encryption Performance Question > > This also might be helpful: > http://lis.fh-aargau.ch/nicola/pub/WSS4Jperformance.pdf > > -----Original Message----- > From: jimmy Zhang [mailto:[EMAIL PROTECTED] > Sent: Monday, October 13, 2008 12:53 PM > To: Werner Dittmann > Cc: [EMAIL PROTECTED]; [email protected] > Subject: Re: WSS4J 1.5.4 Encryption Performance Question > > http://www.w3.org/2007/xmlsec/ws/papers/06-zhang-ximpleware/ > ----- Original Message ----- > From: "Werner Dittmann" <[EMAIL PROTECTED]> > To: "jimmy Zhang" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]>; <[email protected]> > Sent: Saturday, October 11, 2008 1:19 AM > Subject: Re: WSS4J 1.5.4 Encryption Performance Question > > <SNIP ----- SNAP> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
