Re: Encrypting the response

From: D.Mitchell (DMitchell_at_discussions.microsoft.com)
Date: 09/08/04 

Date: Wed, 8 Sep 2004 01:27:16 -0700

Had the correct entry on the X509 element in the web.config. Most of what I
have done is based on the excellent HOL-WSE02 labs.

I had actually made a mistake in doing what you suggested but now corrected
that the response encryption with the encryption token retrieved from the
request works OK. I still don't understand why it doesn't work with the
signature token because in the encryption response example under the WSE 2
install it works by using the signature token.

At the moment I'm running this all on the same machine, so my next step is
to buy a couple of X509 certificates from verisign and move it into a true
production environment for testing.

Can you explain why it makes more sense to you to encrypt the response with
the request's signing token than it's encryption token? The request signing
token is the client's private key right? And the request encryption token is
the server public key? So I suppose it doesn't make sense encrypting the
response with the server public key. I should be doing it with the client
public key so that it can use it's private key to decrypt. Theory wise I
would have thought that was the right approach.

"SA" wrote:

> I am second-guessing myself here. Your way of doing it may be correct after
> all (i.e. encrypt the response with the token used to sign the request).
> From a cryptography point of view, it seems to make more sense.
>
> (I am still investigating the use of X.509 myself, so far I have only used
> UsernameTokens).
>
> Let me know what's happening,
>
> --
>
> Sven
>
>
> "D.Mitchell" <DMitchell@discussions.microsoft.com> wrote in message
> news:1E7F91B6-89DE-4AA8-8218-A8B60762EA48@microsoft.com...
> > Thanks Sven. I'll look at that.
> >
> > I have used different functions. Just thought it would be easier to put
> code
> > in one chunk on here.
> >
> > Thanks again.
> >
> > "SA" wrote:
> >
> > > OK, I am not sure about this, but I believe that the problem is that you
> > > encrypt the response with the token that was used to sign the request.
> > >
> > > You should encrypt the response with the token that was used to encrypt
> the
> > > request, which in your case is different.
> > >
> > > The WSE 2.0 samples contain a function GetEncryptingToken that you can
> use
> > > to get the token you're looking for.
> > >
> > > Architecture tip: abstract the functionality of finding the signing and
> > > encrypting tokens in separate functions.
> > >
> > > --
> > >
> > > Sven
> > >
> > >
> > > "D.Mitchell" <DMitchell@discussions.microsoft.com> wrote in message
> > > news:A63918DC-62C1-40DC-BA5C-C2E50CEC2E91@microsoft.com...
> > > > Thanks for the reply Sven.
> > > >
> > > > I tried this and got 'The security token could not be authenticated or
> > > > authorized.' at that new line.
> > > >
> > > > I'm confused what I need to do to encrypt the response. I have signed
> the
> > > > request with the client/sender certificate and I have encrypted the
> > > request
> > > > with the server/receiver certificate.
> > > >
> > > > The signature gets verified with no problem and the request gets
> decrypted
> > > > OK. I get back my DataSet if I don't add any response encryption code.
> > > >
> > > > This is what I was trying for response encryption...any ideas on where
> I
> > > am
> > > > going wrong...it's driving me crazy now...
> > > >
> > > > Dim responseContext As SoapContext = ResponseSoapContext.Current
> > > > Dim requestContext As SoapContent = RequestSoapContext.Current
> > > > Dim requestSigningToken As X509SecurityToken
> > > > Dim foundSignature As Boolean
> > > > Dim se As ISecurityElement
> > > >
> > > > 'loop over security elements in request
> > > > For Each se In requestContext.Security.Elements
> > > >
> > > > 'when current element is message signature
> > > > If TypeOf se Is MessageSignature Then
> > > > Dim ms As MessageSignature = se
> > > > requestSigningToken = ms.SigningToken
> > > >
> > > > 'set flag indicating that we found message signature
> > > > foundSignature = True
> > > > End If
> > > > Next
> > > >
> > > > 'when message signature was not found in security elements in request
> > > > If foundSignature Then
> > > >
> > > > 'add the security token to the response
> > > > responseContext.Security.Tokens.Add(requestSigningToken)
> > > >
> > > > 'encrypt the response with the key in the request
> > > > responseContext.Security.Elements.Add(New
> > > > EncryptedData(requestSigningToken))
> > > > Else
> > > > Throw New SoapException("Could not retrieve signature.",
> > > > SoapException.ClientFaultCode)
> > > > End If
> > > >
> > > >
> > > > "SA" wrote:
> > > >
> > > > > You will need to add your security token to the context first, like
> > > > >
> > > > > responseContext.Security.Tokens.Add(x509st)
> > > > >
> > > > > HTH
> > > > > --
> > > > >
> > > > > Sven
> > > > >
> > > > >
> > > > > "D.Mitchell" <DMitchell@discussions.microsoft.com> wrote in message
> > > > > news:668CE380-52C3-401C-82D9-299C4758A662@microsoft.com...
> > > > > > Looks like it should be fairly simple from the example provided
> with
> > > WSE 2
> > > > > > install. I get an error on the last line. Retrieve the signing
> token
> > > OK.
> > > > > It's
> > > > > > definitley not nothing. Anything I am doing wrong.
> > > > > >
> > > > > > -- IN THE WEB METHOD
> > > > > > Dim x509st As X509SecurityToken
> > > > > > Dim se As ISecurityElement
> > > > > >
> > > > > > 'loop over security elements in request
> > > > > > For Each se In context.Security.Elements
> > > > > >
> > > > > > 'when current element is message signature
> > > > > > If TypeOf se Is MessageSignature Then
> > > > > > Dim ms As MessageSignature = se
> > > > > >
> > > > > > x509st = ms.SigningToken
> > > > > >
> > > > > > End If
> > > > > > Next
> > > > > >
> > > > > > 'encrypt the response
> > > > > > Dim responseContext As SoapContext = ResponseSoapContext.Current
> > > > > >
> > > > > > -- ** ERROR - Refereced security token could not be retrieved **
> > > > > > responseContext.Security.Elements.Add(New EncryptedData(x509st))
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > >
> > >
> > >
>
>
>

Relevant Pages

  • Re: WSE a cup of coffee with Softwaremaker and X509
    ... >> and make necessary operations for signing a request or a response! ... if i use policy files i don't write something like: ... > your Public Key to verify it. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Encrypting the response
    ... And the request encryption token ... > response with the server public key. ... Just because of what you said: if the server was to encrypt the response ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • RE: X.509 All in One
    ... I request a trial certificate, from verisign, I got the following response, ... The pending Request forthis response file was not found. ... > You can easily export the public key using either internet explorer or the ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Encrypted network communication
    ... Bob) communicate over an insecure channel. ... This type of encryption uses a single shared, ... Secret-key encryption algorithms use a single secret key to encrypt and ... unauthorized users and a public key that can be made public to anyone. ...
    (microsoft.public.dotnet.languages.csharp)
  • RE: PGP scripting...
    ... cryptosystems, ... In these systems divulging your private key compromises the public ... Here is a quick over view of the public key encryption routines (the ...
    (SecProg)