Communication Security for DSSP

I was not able to find any communication or message security related documents for Microsoft’s DSSP (Decentralized Software Services Protocol). The current DSS defines a fine grain application security model / access control mechanism to restrict service consumtion and it has been improved from the last MSRS 1.5 version.

As per I know (From the available documents on the Web), the current implementation of DSSP always uses SOAP as a message tunneling mechanism. That means either it may be binary TCP or HTTP, it is always SOAP. The following two diagrams helps to visualize the scenario.



DSSP TCP Binding

DSSP TCP Binding

Well, it uses SOAP and also defines the transport on top of HTTP or TCP. So, the security mechanisms comes to mind are HTTPS, WS-Security or if you do not want to touch the DSSP communication stack then it is IPsec.

Since MS defines DSSP for Robots or Control systems, so HTTPS may be the last choice as device with low resource are not well suited with https. As one of advantage of DSSP is to provide a decentralized and distributed system so WS-Security would be a very good choice since it provides end-to-end security instead point-to-point security like https.The following diagram shows the new stack with WS-Security.

In WS-Security, Message integrity is provided by XML Signature and Message confidentiality leverages XML Encryption. Both these techniques has numbers of advantages other than TLS or SSL or even IPsec style of Security.  Also “Specifically, the WS-Security profile specifications describes how to encode Username Tokens, X.509 Tokens, SAML Tokens , REL Tokens and Kerberos Tokens as well as how to include opaque encrypted keys as a sample of different binary token types.

So, if the security for the SOAP messages exchanged during DSSP service request and response are provided by WS-Security, it will be very strong as well as end-to-end security mechanism.  The existing username/pasword security policy of DSS can be combined with WS-Security and also with WS-SecureConversation to have secure session. However attaching with Kerberos will be a better option as it guarantees better network security to overcome those entropy related attacks in username/password cases.

Achieving Service Orientation through DSSP

As, I have discussed in my last post service orientation can be achieved via a message passing mechanisms (which should be known to service provider and consumer before they start with any operation), DSSP from Microsoft is one of them. DSSP defines a way to achieve service orientation design.
We can articulate the way, that DSSP offers service orientation, as follows:-

  1. DSSP defines a set of certain operations (GET, UPDATE, INSERT..), which a service designer need to implement to provide service. Now , what is a service in this context? Ans : For example, let us consider the “Printer” as a service. A printer offers following operations: “Print Document”, “Cancel Printing” and “Jobs”. So, we can have design this printer service using GET (shows printer JOBS), INSERT (print a document) and UPDATE (to cancel printing).
  2. DSSP does not define how the message structure would be, for your service. It is upto you to define it. Which makes DSSP suitable for variety of environments. So all the printer companies should come and decide the message structure for printing service so that they can become interoperable (a Hp printer is offloading his jobs to a Xerox printer).
  3. The standard DSSP operations are the only mechanisms to interact with a service for the Clients (A PC giving print order to the printer) as well as the Service (Xerox printer is offloading his job to HP Printer) Itself.

DSSP is another attempt to achieve a HTTP like protocol for Service Orientation. In my next post i will design a Printer Service using DSSP with Code samples and do the analysis. It is really getting interesting