Re: UserNameToken with SendNone on Password

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: William Stacey [MVP] (staceywREMOVE_at_mvps.org)
Date: 02/15/05 

Date: Mon, 14 Feb 2005 20:46:36 -0500

You could it with sockets and no xml if you wanted. However SCTs are a WSE
thing. If you not using WS-*, then probably no need for this. You could
use the same idea however to do a shared key exchange. I would probably use
Diffie-Hellman at that point or SRP. 

-- 
William Stacey, MVP
http://mvp.support.microsoft.com
"James Han***" <~jamie@darwinconsulting.com> wrote in message
news:#RkXBuvEFHA.3276@TK2MSFTNGP10.phx.gbl...
> Ok, so I don't want to use this with soap stuff really, I only want to use
> it for Web Services.  Do I have to use pure soap messaging or can I do it
> with a pure web service?
>
> "SA" <informatica@freemail.nl> wrote in message
> news:OfS$47tEFHA.2156@TK2MSFTNGP10.phx.gbl...
> > James,
> >
> > I suggest you look at my sample, hopefully that will help out.
> >
> > .SendRequestResponse is inherited from SoapClient
> > (Microsoft.Web.Services2.Messaging namespace).
> >
> > -- 
> >
> >
> > Sven.
> >
> > "James Han***" <~jamie@darwinconsulting.com> wrote in message
> > news:#dvrcjtEFHA.228@TK2MSFTNGP15.phx.gbl...
> >> Also need ArraysEqual and ToUTCDateTime and
> >> SnkUtil.GetPublicKeyFromAssembly
> >>
> >> And where was base.SendRequestResponse come from?  I.e. what class does
> > the
> >> Client method go into and what does that class inherit from?
> >>
> >> Thanks again!
> >>
> >> "William Stacey [MVP]" <staceywREMOVE@mvps.org> wrote in message
> >> news:%23z3vU8kEFHA.3648@TK2MSFTNGP10.phx.gbl...
> >> > Here are those two methods:
> >> >
> >> > public static byte[] RijndaelEncrypt(ICryptoTransform encryptor,
byte[]
> >> > data)
> >> > {
> >> >    if ( encryptor == null )
> >> >  throw new ArgumentNullException("encryptor");
> >> > if ( data == null )
> >> >  throw new ArgumentNullException("data");
> >> >
> >> > //Encrypt the data.
> >> > using(MemoryStream msEncrypt = new MemoryStream())
> >> > using(CryptoStream csEncrypt = new CryptoStream(msEncrypt, encryptor,
> >> > CryptoStreamMode.Write))
> >> > {
> >> >  //Write all data to the crypto stream and flush it.
> >> >  csEncrypt.Write(data, 0, data.Length);
> >> >  csEncrypt.FlushFinalBlock();
> >> >
> >> >  //Get encrypted array of bytes.
> >> >  byte[] encrypted = msEncrypt.ToArray();
> >> >  return encrypted;
> >> > }
> >> > }
> >> >
> >> > public static byte[] RijndaelDecrypt(ICryptoTransform decryptor,
byte[]
> >> > encrypted)
> >> > {
> >> > if ( decryptor == null )
> >> >  throw new ArgumentNullException("decryptor");
> >> > if ( encrypted == null )
> >> >  throw new ArgumentNullException("encrypted");
> >> >
> >> > using(MemoryStream msDecrypt = new MemoryStream(encrypted))
> >> > using(CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor,
> >> > CryptoStreamMode.Read))
> >> > {
> >> >  byte[] fromEncrypt = new byte[encrypted.Length];
> >> >
> >> >  int read = csDecrypt.Read(fromEncrypt, 0, fromEncrypt.Length);
> >> >  if ( read < fromEncrypt.Length )
> >> >  {
> >> >   byte[] clearBytes = new byte[read];
> >> >   Buffer.BlockCopy(fromEncrypt, 0, clearBytes, 0, read);
> >> >   return clearBytes;
> >> >  }
> >> >  return fromEncrypt;
> >> > }
> >> > }
> >> >
> >> > -- 
> >> > William Stacey, MVP
> >> > http://mvp.support.microsoft.com
> >> >
> >> > "James Han***" <~jamie@darwinconsulting.com> wrote in message
> >> > news:Oe76xieEFHA.3120@TK2MSFTNGP12.phx.gbl...
> >> >> William could you do me a favour and post a full sample application
> > with
> >> >> what you've done with the latest code somewhere? Because I'm getting
> > all
> >> >> kinds of compile errors and getting confused as to which version
> > requires
> >> >> which and I can't find the methods like Utils.RijndaelEncrypt in any
> >> >> of
> >> > the
> >> >> sample stuff you put up etc.  This defintely looks like the best
> > possible
> >> >> solution to the problem, I just need a little more help to get it
> > working
> >> > :)
> >> >>
> >> >> Thanks!
> >> >>
> >> >> And MS: Please put something like this directly into WSE as a good
> >> >> replacement for shared secret that you took out of WSE 1.0
> >> >>
> >> >> Thanks!
> >> >> James Han***
> >> >>
> >> >> "William Stacey [MVP]" <staceywREMOVE@mvps.org> wrote in message
> >> >> news:eBOZ8g$DFHA.1600@TK2MSFTNGP10.phx.gbl...
> >> >> >I have SP2 so can't tell if it is a SP1 issue.  I would probably
just
> >> >> > install SP2 so you have less variables to test.
> >> >> > Then just sign a message using SCT to see if that works first.  If
> > that
> >> >> > works, then use a derived token from the SCT to see if that works.
> > If
> >> >> > not,
> >> >> > please post the error and the client web method code.  TIA.
> >> >> >
> >> >> > -- 
> >> >> > William Stacey, MVP
> >> >> > http://mvp.support.microsoft.com
> >> >> >
> >> >> > "SA" <informatica@freemail.nl> wrote in message
> >> >> > news:OShwuT9DFHA.624@TK2MSFTNGP09.phx.gbl...
> >> >> >> William:
> >> >> >>
> >> >> >> In WSE 2.0 SP 1, for me, creating a derived key from an SCT based
> >> >> >> on
> > a
> >> >> >> UsernameToken fails...
> >> >> >>
> >> >> >> Is this me, or is this indeed a known problem?
> >> >> >>
> >> >> >> -- 
> >> >> >>
> >> >> >>
> >> >> >> Sven.
> >> >> >>
> >> >> >> "William Stacey [MVP]" <staceywREMOVE@mvps.org> wrote in message
> >> >> >> news:ekoptnyDFHA.3840@tk2msftngp13.phx.gbl...
> >> >> >> > IMO, you don't want to use UsernameTokens (UT) with send none,
> > send
> >> >> >> hashed,
> >> >> >> > or send clear - period.  What you want to use is
> >> > SecurityContextTokens
> >> >> >> > (SCT).  If you only use UT, you can ~easily figure out the
> > password
> >> > via
> >> >> >> the
> >> >> >> > hash or the signature.   Get a SCT and sign and encrypt your
body
> >> > with
> >> >> >> > a
> >> >> >> > SCT - you then don't need UTs.  Only except soap bodies with
> >> > signatures
> >> >> > in
> >> >> >> > your server methods.  Also use a DerivedToken of your SCT to
mix
> > it
> >> > up
> >> >> >> after
> >> >> >> > each call.  You can get a SCT via std WSE HTTP or soap.tcp.  I
> > have
> >> >> >> > a
> >> >> > blog
> >> >> >> > on getting SCT using soap.tcp using public key at
> >> >> >> >
> >> >> >>
> >> >> >
> >> >
> >
http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!303.entry
> >> >> >> >
> >> >> >> > -- 
> >> >> >> > William Stacey, MVP
> >> >> >> > http://mvp.support.microsoft.com
> >> >> >> >
> >> >> >> > "James Han***" <~jamie@darwinconsulting.com> wrote in message
> >> >> >> > news:OYDnq#tDFHA.2676@TK2MSFTNGP12.phx.gbl...
> >> >> >> > > Ok, so I have been looking and looking for a solution that is
> >> > simple
> >> >> > and
> >> >> >> > > eligent and easy to mainatain (see previous post) that
replaces
> >> >> >> > > the
> >> >> > WSE
> >> >> >> > 1.0
> >> >> >> > > shared secret stuff. I have read through the post about using
> >> >> >> > UserNameToken
> >> >> >> > > and just not passing the password and thus both sides
basically
> >> >> >> > > use
> >> >> > the
> >> >> >> > > password as the shared secret.
> >> >> >> > >
> >> >> >> > > However, I cannot get this to work. If I set it to SendNone
> >> >> >> > > with
> >> > the
> >> >> >> > > password, then I get an error telling me that the soap
message
> >> >> >> encryption
> >> >> >> > > isn't the same (basically that's the message).
> >> >> >> > >
> >> >> >> > > What am I doing wrong?
> >> >> >> > >
> >> >> >> > > I put the password into the constructor for the
UserNameToken,
> > and
> >> >> >> > sendNone
> >> >> >> > > and on the other side I've overriden the tolken manager and
on
> >> >> >> > > authentication I return the real password as plain text.
> >> >> >> > >
> >> >> >> > > Thanks!
> >> >> >> > >
> >> >> >> > > (Sidd: thanks for your comments, if MS had a nice sample for
> > doing
> >> >> >> shared
> >> >> >> > > secret correctly in the help or online all of this stuff
would
> > be
> >> >> > solved
> >> >> >> > and
> >> >> >> > > I would be happy :)... sounds like there are a lot of others
in
> >> > here
> >> >> >> with
> >> >> >> > > the same problem)
> >> >> >> > >
> >> >> >> > >
> >> >> >> >
> >> >> >>
> >> >> >>
> >> >> >
> >> >>
> >> >>
> >> >
> >>
> >>
> >
> >
>
>
Quantcast