Enhancement of Key Derivation in Web Service Security

Key Derivation is an important part of numerous security standards, the importance of using it was discussed throughout the literature and industry standards. On the other hand, web service security is an area that has not seen substantial research and application for Key Derivation techniques. After studying the Key Derivation techniques which are applied in Web Service Security, we find the applied algorithms and current implementations to be very limited in regard to performance and their work-flow. These limitations introduce performance bottlenecks that can limit their applicability to low power machines and mobile systems or lead to designers compromising on security to meet the quality of service desired. Moreover, this issue becomes more relevant when applied to a high performance and demanding systems such as real-time business process monitoring and messaging systems. This paper explores how Key Derivation is implemented in web services and WS-Security engines, their limitations, the performance overhead it produces and proposes an enhanced Key Derivation work-flow that takes into consideration both security and performance and allows for fine tuning them. The performance of the proposal is tested using a series of benchmarks and the security properties are verified using a well-known validation tool.