[jira] [Commented] (WSS-386) Introduce proprietary Compress-Transformation for Encryption / Decryption

Fri, 20 Apr 2012 11:49:07 -0700 

    [ 
https://issues.apache.org/jira/browse/WSS-386?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13258459#comment-13258459
 ] 

Marc Giger commented on WSS-386:
--------------------------------

There is no proprietary compression algorithm. Just the 
algorithm-identification url is proprietary
because the WSS-Standards don't define a compression transformation. So I 
introduced the following
algorithm-uri's (which should be self-explanatory):

- http://www.apache.org/2012/04/xmlsec/gzip
- http://www.apache.org/2012/04/xmlsec/bzip2
- http://www.apache.org/2012/04/xmlsec/xz
- http://www.apache.org/2012/04/xmlsec/pack200";

Compression can (before or after encryption doesn't matter) be evil when
- someone sends a "Decompression bomb"
- someone sends an SOAP-Request with extremely deep repetitive XML tags and 
compresses it (which will be a "decompression bomb" for WS)
- others?

Both have to be handled carefully in WSS.
                
> Introduce proprietary Compress-Transformation for Encryption / Decryption
> -------------------------------------------------------------------------
>
>                 Key: WSS-386
>                 URL: https://issues.apache.org/jira/browse/WSS-386
>             Project: WSS4J
>          Issue Type: Sub-task
>            Reporter: Marc Giger
>            Assignee: Marc Giger
>            Priority: Minor
>             Fix For: 2.0
>
>
> Compressing encrypted content (as usually done on transport layer) is not 
> very efficient but plain XML is.
> Numbers:
> soap-doc-encrypted-not-compressed.xml = ~19M
> soap-doc-compressed-on-transport.gz = ~ 15M
> soap-doc-compressed-before-xml-encryption.xml = ~1.1M
> The advantages are:
> - Factor n less data on the wire
> - Faster processing on both side because much less data must be 
> encrypted/decrypted (depends on encryption/compression algorithm)
> Disadvantages:
> - Proprietary
> - Introduces new attack-vector and will be disabled by default for WSS with 
> the introduction of secure-processing

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to