How secure is Message Authentication over SSL?
We develop a web service for point to point scenario only, so security on the transport layer is chosen to gain better performance. Among Security Policies supported by WSIT: "The Message Authentication over SSL mechanism attaches a cryptographically secured identity or authentication token with the message and use SSL for confidentiality protection" Quoted from http://metro.java.net/guide/Security_Mechanisms.html
Does it protect for Data Integrity?
Metro guide gives too little information about this. It only say this mechanism protects for confidentiality. From the WSIT tutorial, the client trust store has to be imported with the server's credential. And with that the client application can encrypt the data exchange.
But for integrity, data has to be signed. I wonder, if the SSL hand shake is handled (by WSIT) with some client's private session key exchange behind the scene automatically or not? If yes, how long the session key remain (for each request/response or for a period of time)?
Amazon EC for example, all SOAP requests are sent over SSL. But in additional, they also require messages to be hashed and signed for integrity (BinarySecurityToken profile). Does it mean, SSL does not protect for data integrity???
Does it protect from Replay Attack?
Other WS Security Policy like Asymetric and Symetric Binding has an timestamp element to protect the message from replay Attack. How about Message Authentication over SSL?
Thank you very much.