Re: PasswordOption.SendNone

From: Softwaremaker [Microsoft_RD] (msdn_at_removethis.softwaremaker.net)
Date: 05/25/04 

Date: Tue, 25 May 2004 21:51:54 +0800

Hello Graham,

Basically, the client sign or encrypt the HASH of the message (Digest) with
the password to get the Ciphertext. The Message together with the Ciphertext
is then sent over to the WS together with the username (No Password).

In the WSE Pipeline Filters,
the WS will pull the password of the username (which is sent over from the
client) from a database or whatever storage medium you have...(This model
wont work if you query a LDAP AD) and then proceed to encrypt the HASH of
the message (Digest) with the password to get the Ciphertext. Then proceed
to compare the Ciphertext value to the one in the message. A user is
authenticated once both Ciphertext matches.

I hope this clears up some of your confusion.

hth. 

-- 
Thank you very much
Warmest Regards,
Softwaremaker
Architect | Evangelist | Consultant
Microsoft Regional Director
http://www.microsoft.com/rd
+++++++++++++++++++++++++++++++++
"Graham Allwood" <graham.allwood@nospamtoEborsolutions.com> wrote in message
news:eEf4AUlQEHA.1392@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> I am little confused with the PasswordOption enum when creating a
> UsernamePassword token. Is the following correct:
>
> Using PasswordOption.SendHashed a hash of the password is sent with the
> message. At the server WSE uses a UsernameTokenManager derived class
> (typcially) to obtain a password it can hash and compare against the sent
> hashed password. The message can also be signed using the UsernamePassword
> token if required.
>
> However, using PasswordOption.SendNone results in no password (or hash)
> being sent to the server. In that case how does the web service
authenticate
> the message? Reading the docs it sounds to be that if you use this option
> then you should also sign the message as the message is signed on the
client
> using the password(??). Authentication is then achieved at the web server
by
> virtue of a password being required from the UsernameTokenManager to
verify
> the signed message.
>
> Does this sound right?
>
> I'm basically trying to establish whether I should be using SendHashed or
> SendNone. Can anyone enlighten me?
>
>
> TIA
>
> Graham
>
>
> Using
>
>

Relevant Pages

  • Re: PasswordOption.SendNone
    ... the client sign or encrypt the HASH of the message with ... The Message together with the Ciphertext ... is then sent over to the WS together with the username. ... client) from a database or whatever storage medium you have...(This model ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Custom Authentication with WSE 2.0
    ... Get the Client to hash the password before sending the password over. ... Based on the custom handler in web.config Wse instantiates the custom ... to encrypt the passwords (the username for example), so that way I can come ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Logon protocols
    ... >> username and a hash of their password to the DC? ... A hash would be generated by the client ...
    (microsoft.public.win2000.security)
  • Re: Logon protocols
    ... > username and a hash of their password to the DC? ... A hash would be generated by the client and sent to the *DC. ... Suffice it to say that it is a time/ticket-based system that would be ...
    (microsoft.public.win2000.security)
  • Re: newbie: please help...just your opinion
    ... knowing both gives you the first key char. ... > only if the bits of rand# and pre-xor hash were different or equal... ... > presence of a new char in the ciphertext - one should try to add only ... So imagine an attack where the attacker guesses the length of the ...
    (sci.crypt)