Re: WSE 2.0 SP2: UsernameTokens must be encrypted to request SCT?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Sidd (ElCid_at_hotmail.com)
Date: 02/15/05 

Date: Tue, 15 Feb 2005 13:36:20 -0800

Hi William,

    Yes the article is accurate in its description about using a
UsernameToken to sign the initial RST. In WSE2 SP2 we require the client to
have encrypted the username token somehow, either with a Servers Cert, or
with https, but sending a plain RST signed with a username token in plain is
bad news and many people were doing it.

    Offcourse there are ways to work around that. Currently, the check is
made both at the client and the service, and as always you can override the
default behavior to disable this checking.

    Hope this answers your question.

Thanks,

Sidd [MSFT]

"SA" <informatica@freemail.nl> wrote in message
news:eAP5CjFEFHA.464@TK2MSFTNGP15.phx.gbl...
>
> >
> > If it does not matter, then don't even require a password or security.
> Just
> > keep it open. If it does require security, then don't use UTs unless
you
> > are using SSL or have a SCT and can encrypt them. If you can't use
certs
> to
> > get a SCT, have a look at my post on using just the public rsa key to
get
> a
> > SCT at
> >
>
http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!303.entry
> >
> Interesting article, thanks. Need to work my way trough it (and all
previous
> ones...), but basically you're using a key file made with the StrongName
> tool? Good idea...
>
> I meant actually that we need to keep track of logins for "auditing" and
> it's not a public web service either. So, we need some authentication
> mechanism. Some customers might be able to use Kerberos or X.509, but most
> won't. (this is for development of a commercial product)
>
>

Relevant Pages

  • Re: Can web site data be protected from access by the webmasters?
    ... > little about web site design or internet security. ... > Canceling a contract can be an expensive hassle. ... > The client contacted me after the fact of contract signing. ... SSL does nothing but encrypt the stream ...
    (microsoft.public.sqlserver.security)
  • In Search for the Proper Crypto System
    ... an asymetrical key cryptology. ... public/private key to encrypt only the symetric key used to encrypt the data ... the private key is eventually revealed. ... before A sends it to the first client, C1, and before any client sends it to ...
    (sci.crypt)
  • Re: Sniffing on WPA
    ... The point is, after you do ARP Cache Poisoning, what you get is *plain ... The AP just decrypt all the traffic from the *poisoned client* then ... encrypt the traffic within your own encrypted channel (I mean, ... evil guy WPA channel) with your own key so you can sniff it. ...
    (Pen-Test)
  • Re: RSA - Public vs. Private Keys
    ... This is a common pattern for license software ... your client will send a unique machine hash to the ... will let us decrypt with a Public Key (or simply not ... |> RSA is intended to encrypt messages with public keys only. ...
    (microsoft.public.dotnet.security)
  • RE: Cannot decrypt files encrypted using Crypto API on a different
    ... but what is the point to encrypt the data if ANYBODY can decrypt it (since ... the server just sends something to somebody or first the client contacts the ... supposed to somehow encrypt the file and distribute it to the clients. ... the server generates session key, wraps it with the client's public key, ...
    (microsoft.public.platformsdk.security)