Re: Encrypt a UsernameToken Authenticated WSE Response

One additional question:

how is the data secured now? I think that the key is a kombination from
username and passwort und the data is symmetric encrypted, but then a hacker
can read that values and decrypt it?

"AndiRudi" wrote:

> OK i got it :) Will make an articel about that soon
>
> "AndiRudi" wrote:
>
> > Thanks,
> >
> > meanwhile i tried the Examples in the WSE2 Documentation named "Encrypt (or
> > Decrypt) a SOAP Message by Using a Username and Password". I send my Password
> > hashed and also habe a working AuthenticateUser method overwritten und
> > registered in web.config. But when I start my Client Application and call my
> > HelloWorld() method i get an Exception... Mutable Security Token has to be
> > added into the tokens collection. I even have no Trace thats a big problem.
> > I've switched on the Trace in both projects and have set all Directory write
> > accesses but there are still no trace files.
> >
> > Codes: (http://localhost/WSETest/service1.asmx and my client app is in
> > wwroot/wseclient)
> >
> > client:
> > WSEClient.localhost.Service1Wse proxy = new localhost.Service1Wse();
> > UsernameToken userToken = new UsernameToken("Andreas",
> > "test",PasswordOption.SendHashed);
> > EncryptedData encrypt = new EncryptedData(userToken);
> > proxy.RequestSoapContext.Security.Elements.Add(encrypt);
> > proxy.RequestSoapContext.Security.Timestamp.TtlInSeconds = 300;
> > MessageBox.Show(proxy.HelloWorld());
> >
> > clientpolicy:
> > <?xml version="1.0" encoding="utf-8"?>
> > <policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy";>
> > <mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy";>
> > <endpoint uri="http://localhost/WSETests/Service1.asmx";>
> > <defaultOperation>
> > <request policy="#policy-c0a22319-6b89-49ff-9b82-bdbac5f04618" />
> > <response policy="" />
> > <fault policy="" />
> > </defaultOperation>
> > </endpoint>
> > </mappings>
> > <policies
> > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
> > <wsp:Policy wsu:Id="policy-c0a22319-6b89-49ff-9b82-bdbac5f04618"
> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy";
> > xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing";>
> > <wssp:Confidentiality wsp:Usage="wsp:Required"
> > xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext";>
> > <wssp:KeyInfo>
> > <SecurityToken xmlns="http://schemas.xmlsoap.org/ws/2002/12/secext";>
> >
> > <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken</wssp:TokenType>
> > <wssp:Claims>
> > <wssp:UsePassword Type="wssp:PasswordDigest"
> > wsp:Usage="wsp:Required" />
> > </wssp:Claims>
> > </SecurityToken>
> > </wssp:KeyInfo>
> > <wssp:MessageParts
> > Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part";>
> > wsp:Body()
> > </wssp:MessageParts>
> > </wssp:Confidentiality>
> > </wsp:Policy>
> > </policies>
> > </policyDocument>
> >
> > service:
> > [WebMethod]
> > public string HelloWorld()
> > {
> > //Get the current soap context
> > SoapContext ctxt = RequestSoapContext.Current;
> > if (ctxt == null) { return "Please format the request as a SOAP
> > request and try again.";
> > }
> >
> > //Iterate through all Security tokens
> > foreach(SecurityToken tok in ctxt.Security.Tokens){
> > if (tok is UsernameToken) {
> > UsernameToken user = (UsernameToken)tok;
> > return "Hello Authenticated user " + user.Username;
> > }
> > }
> > return "Hello Liar";
> > }
> >
> > ServicePolicy:
> > <?xml version="1.0" encoding="utf-8"?>
> > <policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy";>
> > <mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy";>
> > <endpoint uri="http://localhost/WSETests/Service1.asmx";>
> > <defaultOperation>
> > <request policy="#policy-c0a22319-6b89-49ff-9b82-bdbac5f04618" />
> > <response policy="" />
> > <fault policy="" />
> > </defaultOperation>
> > </endpoint>
> > </mappings>
> > <policies
> > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
> > <wsp:Policy wsu:Id="policy-c0a22319-6b89-49ff-9b82-bdbac5f04618"
> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy";
> > xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing";>
> > <wssp:Confidentiality wsp:Usage="wsp:Required"
> > xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext";>
> > <wssp:KeyInfo>
> > <SecurityToken xmlns="http://schemas.xmlsoap.org/ws/2002/12/secext";>
> >
> > <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken</wssp:TokenType>
> > <wssp:Claims>
> > <wssp:UsePassword Type="wssp:PasswordDigest"
> > wsp:Usage="wsp:Required" />
> > </wssp:Claims>
> > </SecurityToken>
> > </wssp:KeyInfo>
> > <wssp:MessageParts
> > Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part";>
> > wsp:Body()
> > </wssp:MessageParts>
> > </wssp:Confidentiality>
> > </wsp:Policy>
> > </policies>
> > </policyDocument>
> >
> > Maybe you or anyone see's the failure.
> > Thanks, trying that for 3 days now...
> >
> >
> >
> >
> > "casey chesnut" wrote:
> >
> > > you can encrypt with a UsernameToken too.
> > > both the client and the server know the password,
> > > so that is used to generate a key to encrypt with.
> > >
> > > on the client Request you add something like this line:
> > > serviceProxy.RequestSoapContext.Security.Elements.Add(new
> > > EncryptedData(token));
> > >
> > > the server Response adds something like this :
> > > ResponseSoapContext.Current.Security.Tokens.Add(usernameToken);
> > > ResponseSoapContext.Current.Security.Elements.Add(new
> > > MessageSignature(usernameToken));
> > > ResponseSoapContext.Current.Security.Elements.Add(new
> > > EncryptedData(usernameToken));
> > >
> > > Thanks,
> > > casey
> > > http://www.brains-N-brawn.com
> > >
> > >
> > > "AndiRudi" <AndiRudi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > > news:B7D49B82-C019-4262-BC3C-D8E3B97C8EB2@xxxxxxxxxxxxxxxx
> > > > Is there any other possibility than x509 to enrcypt a Response. Something
> > > > symmetic would be nice.
> > >
> > >
> > >
.

Relevant Pages

  • Re: WSE 3.0 + UserNameToken without X.509 Cert/Kerberos + Signing + Encryption How?
    ... message security and thefore it does not encrypt the message. ... You need to combine this assertion with a secure transport like SSL if you ... between client and server using a UserNameToken that passes the UserName ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Encrypt a UsernameToken Authenticated WSE Response
    ... > Decrypt) a SOAP Message by Using a Username and Password". ... But when I start my Client Application and call my ... >> you can encrypt with a UsernameToken too. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Encrypt a UsernameToken Authenticated WSE Response
    ... Decrypt) a SOAP Message by Using a Username and Password". ... hashed and also habe a working AuthenticateUser method overwritten und ... But when I start my Client Application and call my ... EncryptedData encrypt = new EncryptedData; ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Ordering of Signatures and Encryption
    ... the service to send back the Username token you might want to do it using a ... > we modifed the Policy Assertions to Encrypt the UsernameToken with X509 ... > 3) The UsernameToken will then be sent back from the Service to the client ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Can web site data be protected from access by the webmasters?
    ... > little about web site design or internet security. ... > Canceling a contract can be an expensive hassle. ... > The client contacted me after the fact of contract signing. ... SSL does nothing but encrypt the stream ...
    (microsoft.public.sqlserver.security)