Re: Policy settings tool and username tokens (not x509)

From: Julie Lerman (jlermanATNOSPAMPLEASEthedatafarm.com)
Date: 09/28/04 

Date: Tue, 28 Sep 2004 11:11:16 -0400

(bear with me - I am trying to work this stuff out so that I can eliminate
my own questions and be better able to teach this stuff to others. I am no
security expert....caveat caveat caveat <g>)

Totally grok about the extra super duper security with x509. However, if I
have explicitly chosen not to encrypt the request or response messages (not
talking about the digest created via digital sig) and it *is* indeed
possible (if not recommended) to digitally sign with a usernametoken, AND
the wse setup tool is telling me "I'm making you give me an x509 server cert
because you chose to do request encryption" when I actually did not choose
to do any encryption, something isn't right.

I am working from the client app here.

(I think ) Basically either the tool does not want to allow me to deselect
encryption, or the tool is giving me that screen when it doesn't mean to.
Does that make sense? If it's confusing to me, it's going to be confusing to
others. I assure you, I'm a very good baseline for the target audience! The
tool is doing a fantastic job of handholding people through this process.
But if it is giving possible misinformation, then we'll be little lost
lambs.

thanks much, Hervey

julie

"Hervey Wilson [MSFT]" <herveyw.nospam@nospam.microsoft.com> wrote in
message news:eNFlx1RpEHA.4008@TK2MSFTNGP14.phx.gbl...
> Julie Lerman wrote:
> > If I am starting out with username ONLY , no x509 etc certificates in my
> > wse2 solution, I'm confused by the need (via settings tool) to select a
> > digital certificate.
> >
> > I'm securing a client application.
> >
> > I have (for now) deselected require sigs and encryption on the request
> > message and selected only requires signatures on the reponse (outgoing)
> > message, since I am only interested in my webservice being sure of WHO
is
> > making the request.
> >
> > However I still get the Trusted Server Certificates window with the info
> > "Choose the x.509 certificates that can be used to authenticate the
service.
> > This certificate will be used if Request Encryption is chosen."
> > I have not chosen request encrtypion.
> >
> > I would really like to use wse2 to secure my client's application right
now
> > without telling them they have to go out and buy x509 certificates for
40
> > machines and their servers.
> >
> > So I want to implement this using username only.
> >
> > Thanks
> >
> > Julie
> >
> >
>
> You cannot do this securely with only a UsernameToken, this is why the
> tool asks for the services token so that it can not only sign the
> message but also encrypt it and the UsernameToken.
>
> Having both client and server tokens allows the default WSE client to
> enforce at least a limited form of mutual authentication: the client
> signs with token A and encrypts with token B, it then requires that the
> response be encrypted with token A and signed with token B. Anything
> less leaves response messages open to attack.
>
> You don't have to buy 40 certificates at all, unlike HTTPS WSE will not
> require that the CN name in the certificate match the name of the
> computer that the request is sent to. You could therefore use the same
> certificate on a number of servers (be sure to block export of the key
> and set restrictive permissions on it to prevent physical attacks
> against the servers).
>
>
>
> --
> This posting is provided "AS IS", with no warranties, and confers no
rights.

Relevant Pages

  • RE: Help Newbie..Upload file from SQL Server
    ... Enable SSL Encryption for SQL Server 2000 with Microsoft Management ... Steps to Use to Install a Certificate on a Server with Microsoft Management ... Steps to Enable Encryption for a Specific Client ...
    (microsoft.public.sqlserver.programming)
  • Encrypting off-site with certificates public key
    ... I thought it would be wise to use a certificate encryption scheme to allow ... Then the data is written into a varbinarycolumn on the central server ... For some reason the public key is generating a different algorithm on .NET ...
    (microsoft.public.sqlserver.security)
  • Re: SQL-Server startet nicht ...
    ... Because connection encryption is required, ... You should verify that the certificate is ... Check the SQL Server error log and the Windows event logs for information ...
    (microsoft.public.de.sqlserver)
  • Re: successfully installed openssl on hosted server - host says there i sno security unless I bu
    ... >> I successfully installed openssl on hosted server. ... there are two types of certificate that allow either a client ... > So, what encryption does that get us, in terms of securing what your user ... the opinions expressed in this opinion do not necessarily ...
    (alt.computer.security)
  • Re: RAS and eTokens
    ... >Second without tokens and I don't see any LDAP packets and the connection is ... The first you should check is the properties for the RAS server under ... There you need to activate the authentication method "Extensible ... "Smart Card or other certificate" under Authentication in the profile. ...
    (microsoft.public.win2000.ras_routing)