Re: Ordering of Signatures and Encryption

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Govind Ramanathan (govindr_at_microsoft.com)
Date: 06/02/04 

Date: Wed, 2 Jun 2004 06:47:26 -0700

I think you are getting yourself into a tight loop here. If you don't want
the service to send back the Username token you might want to do it using a
custom filter or implementing your own TokenManager.

"Softwaremaker" <msdn@removethis.softwaremaker.net> wrote in message
news:uEpb$JFSEHA.1644@TK2MSFTNGP09.phx.gbl...
> Just in case I have lost everyone here reading this :-
>
> What I am trying to say is that :
>
> With WS-Policy, if we sent a PasswordOption.SendPlainText to the Service
and
> we modifed the Policy Assertions to Encrypt the UsernameToken with X509
> (Server's Public Key), it is of relatively little use because (as in Task
4
> of Exercise C in HOL-WSE02)
>
> 1) The Service have to assume that not all clients have their X509 Certs
and
> the Service also will NOT have all the Clients' Public Keys with them.
> 2) In the Response Policy Assertion from the Service to the Client, the
> Service will attempt to Encrypt the SOAP Body with the UsernameToken.
> 3) The UsernameToken will then be sent back from the Service to the client
> in CLEAR TEXT for Referencing Purpose
> 4) The Service CANNOT encrypt the UsernameToken with the UsernameToken as
> this will generate an Exception
>
> The only way to do this is to SendHashed over and have the Policy encrypt
> the Request for us BUT Ultimately, the Service will still send back the
> decrypted version of the UsernameToken back to the client (albeit the
> Password is still hashed).
>
> How can I get the Service to NOT send the UsernameToken back or to send an
> Ecrypted version of the UsernameToken back ? Which I think is quite
> difficult as the client needs the UsernameToken to decrypt the SOAP Body.
>
> Any advice, ppl ?
>
> Thank you very much.
>
> ====================================
>
>
> "Softwaremaker" <msdn@removethis.softwaremaker.net> wrote in message
> news:3D1D318F-344F-4069-85F9-8E9BFB2B6BCB@microsoft.com...
> > Hiya Fellows,
> >
> > I may be running into a brick wall with this design BUT I will try out
the
> limits of WSE anyways
> >
> > I have both a service and a client policy that dictates a Request Policy
> of "Sign-Username-Encrypt-X.509-10". The username token is not signed in
> this aspect but the SOAP Body and the UsernameToken are. That went on
well.
> >
> > I also have a service and a client policy that dictates a Response
Policy
> of "Sign-X.509-Encrypt-Username". This went on well UNTIL I modified the
> policy and forced the UsernameToken to be encrypted as well. This threw an
> error that says vaguely about "Ordering" during the Server to Client
> Response message.
> >
> > From my own deductions,
> > This is how it happens:
> > 1) WSE signs with Private Key of Server Cert
> > 2) Server encrypts UsernameToken and SOAPBody with UsernameToken Key -
> Does an exception even happen here in the first place ?
> > 3) Client receives the message
> > 4) Client cannot encrypt the UsernameToken as the UsernameToken Key is
all
> Encrypted - Am I right ?
> >
> > So, in the same scenario, how would the server respond to encrypt the
SOAP
> Body then without the need for a Usertoken, bearing in mind that the
client
> probably doesnt have their own X509 Cert. If the UsernameToken is employed
> for encryption, the server sends the UsernameToken in clear back to the
> client. How do we encrypt that ?
> >
> > I hope I at least make some sense here ;)
> >
> > Thank you.
>
>

Relevant Pages

  • Re: WSE 3.0 + UserNameToken without X.509 Cert/Kerberos + Signing + Encryption How?
    ... message security and thefore it does not encrypt the message. ... You need to combine this assertion with a secure transport like SSL if you ... between client and server using a UserNameToken that passes the UserName ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Encrypt a UsernameToken Authenticated WSE Response
    ... username and passwort und the data is symmetric encrypted, ... >> Decrypt) a SOAP Message by Using a Username and Password". ... But when I start my Client Application and call my ... >>> so that is used to generate a key to encrypt with. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: UsernameToken Signing and Envryption
    ... Now if in addition to the integrity if you also specify confidentiality in the requests, they would still go through just fine, as you've met the minimal policy requirements by signing the message. ... Now if you only encrypted in the client then the service invokation should fail as you expected. ... I set up my client to create a token and pass in the username and password, requesting the password to be digested. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Encrypt a UsernameToken Authenticated WSE Response
    ... > Decrypt) a SOAP Message by Using a Username and Password". ... But when I start my Client Application and call my ... >> you can encrypt with a UsernameToken too. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Requiring username token in WSE 2.0
    ... I did not configure the policy on client side. ... Did you configure the policy on the client side and server side as well ?. ... you have to create a username token by code in the client ...
    (microsoft.public.dotnet.framework.webservices.enhancements)