Re: How Secure Are Username Token Encrypted Messages

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Martin Kulov (kulov_at_bezbokluk.abv.bg)
Date: 12/08/04 

Date: Wed, 08 Dec 2004 09:39:38 -0800

Hi Josh,

Basically you need some kind of shared secret in order to make a secure transmission. When you are using UsernameToken to sign and encrypt body you are protecting the body, but to let the receiver decrypt the message the UsernameToken is transmitted in plain text. I.e. your password is not protected. A better solution is to use Secure Conversation as it is described in HOL. This way you will have your UsernameToken encrypted using the public key of X.509 certificate from the receiver. At the sender you will receive the shared secret encrypted and signed using UsernameToken sent. When you have exchanged the shared secret all following messages will you it for encryption and signing.

HTH,

Martin Kulov
http://www.codeattest.com

MCAD Charter Member
MCSD.NET Early Achiever