Re: Encrypt a UsernameToken Authenticated WSE Response

You can dictionary attack the pw digest pretty easy in the UT to get the pw.
Once you have the pw, you can generate the symmetric key as all needed info
is in the message. I blogged some code on doing this at:
http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!178.entry

--
William Stacey, MVP
http://mvp.support.microsoft.com

"casey chesnut" <casey@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:#5rEOIYNFHA.508@xxxxxxxxxxxxxxxxxxxxxxx
> the key is derived with a P_SHA1 algorithm.
> using the password, the label WS-Security, the nonce, and created date.
> P_SHA1 can generate keys of different lengths,
> so it could do TripleDES or AES128.
>
> so as long as you are passing a password digest,
> then a hacker cannot generate that key without knowing the password.
> that password should already be a shared secret between the client and
> server,
> and is just used to generate the session key to encrypt.
> the session key will be different each time because of the nonce and date.
>
> Thanks,
> casey
> http://www.brains-N-brawn.com
>
>
> "AndiRudi" <AndiRudi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:5CDFC579-18F5-4D5C-808E-8C6D25013CB4@xxxxxxxxxxxxxxxx
> > One additional question:
> >
> > how is the data secured now? I think that the key is a kombination from
> > username and passwort und the data is symmetric encrypted, but then a
> > hacker
> > can read that values and decrypt it?
> >
> > "AndiRudi" wrote:
> >
> >> OK i got it :) Will make an articel about that soon
> >>
> >> "AndiRudi" wrote:
> >>
> >> > Thanks,
> >> >
> >> > meanwhile i tried the Examples in the WSE2 Documentation named
"Encrypt
> >> > (or
> >> > Decrypt) a SOAP Message by Using a Username and Password". I send my
> >> > Password
> >> > hashed and also habe a working AuthenticateUser method overwritten
und
> >> > registered in web.config. But when I start my Client Application and
> >> > call my
> >> > HelloWorld() method i get an Exception... Mutable Security Token has
to
> >> > be
> >> > added into the tokens collection. I even have no Trace thats a big
> >> > problem.
> >> > I've switched on the Trace in both projects and have set all
Directory
> >> > write
> >> > accesses but there are still no trace files.
> >> >
> >> > Codes: (http://localhost/WSETest/service1.asmx and my client app is
in
> >> > wwroot/wseclient)
> >> >
> >> > client:
> >> > WSEClient.localhost.Service1Wse proxy = new localhost.Service1Wse();
> >> > UsernameToken userToken = new UsernameToken("Andreas",
> >> > "test",PasswordOption.SendHashed);
> >> > EncryptedData encrypt = new EncryptedData(userToken);
> >> > proxy.RequestSoapContext.Security.Elements.Add(encrypt);
> >> > proxy.RequestSoapContext.Security.Timestamp.TtlInSeconds = 300;
> >> > MessageBox.Show(proxy.HelloWorld());
> >> >
> >> > clientpolicy:
> >> > <?xml version="1.0" encoding="utf-8"?>
> >> > <policyDocument
> >> > xmlns="http://schemas.microsoft.com/wse/2003/06/Policy";>
> >> > <mappings
> >> > xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy";>
> >> > <endpoint uri="http://localhost/WSETests/Service1.asmx";>
> >> > <defaultOperation>
> >> > <request
policy="#policy-c0a22319-6b89-49ff-9b82-bdbac5f04618"
> >> > />
> >> > <response policy="" />
> >> > <fault policy="" />
> >> > </defaultOperation>
> >> > </endpoint>
> >> > </mappings>
> >> > <policies
> >> >
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd">
> >> > <wsp:Policy wsu:Id="policy-c0a22319-6b89-49ff-9b82-bdbac5f04618"
> >> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy";
> >> > xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing";>
> >> > <wssp:Confidentiality wsp:Usage="wsp:Required"
> >> > xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext";>
> >> > <wssp:KeyInfo>
> >> > <SecurityToken
> >> > xmlns="http://schemas.xmlsoap.org/ws/2002/12/secext";>
> >> >
> >> >
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-user
name-token-profile-1.0#UsernameToken</wssp:TokenType>
> >> > <wssp:Claims>
> >> > <wssp:UsePassword Type="wssp:PasswordDigest"
> >> > wsp:Usage="wsp:Required" />
> >> > </wssp:Claims>
> >> > </SecurityToken>
> >> > </wssp:KeyInfo>
> >> > <wssp:MessageParts
> >> > Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part";>
> >> > wsp:Body()
> >> > </wssp:MessageParts>
> >> > </wssp:Confidentiality>
> >> > </wsp:Policy>
> >> > </policies>
> >> > </policyDocument>
> >> >
> >> > service:
> >> > [WebMethod]
> >> > public string HelloWorld()
> >> > {
> >> > //Get the current soap context
> >> > SoapContext ctxt = RequestSoapContext.Current;
> >> > if (ctxt == null) { return "Please format the request as a SOAP
> >> > request and try again.";
> >> > }
> >> >
> >> > //Iterate through all Security tokens
> >> > foreach(SecurityToken tok in ctxt.Security.Tokens){
> >> > if (tok is UsernameToken) {
> >> > UsernameToken user = (UsernameToken)tok;
> >> > return "Hello Authenticated user " + user.Username;
> >> > }
> >> > }
> >> > return "Hello Liar";
> >> > }
> >> >
> >> > ServicePolicy:
> >> > <?xml version="1.0" encoding="utf-8"?>
> >> > <policyDocument
> >> > xmlns="http://schemas.microsoft.com/wse/2003/06/Policy";>
> >> > <mappings
> >> > xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy";>
> >> > <endpoint uri="http://localhost/WSETests/Service1.asmx";>
> >> > <defaultOperation>
> >> > <request
policy="#policy-c0a22319-6b89-49ff-9b82-bdbac5f04618"
> >> > />
> >> > <response policy="" />
> >> > <fault policy="" />
> >> > </defaultOperation>
> >> > </endpoint>
> >> > </mappings>
> >> > <policies
> >> >
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd">
> >> > <wsp:Policy wsu:Id="policy-c0a22319-6b89-49ff-9b82-bdbac5f04618"
> >> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy";
> >> > xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing";>
> >> > <wssp:Confidentiality wsp:Usage="wsp:Required"
> >> > xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext";>
> >> > <wssp:KeyInfo>
> >> > <SecurityToken
> >> > xmlns="http://schemas.xmlsoap.org/ws/2002/12/secext";>
> >> >
> >> >
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-user
name-token-profile-1.0#UsernameToken</wssp:TokenType>
> >> > <wssp:Claims>
> >> > <wssp:UsePassword Type="wssp:PasswordDigest"
> >> > wsp:Usage="wsp:Required" />
> >> > </wssp:Claims>
> >> > </SecurityToken>
> >> > </wssp:KeyInfo>
> >> > <wssp:MessageParts
> >> > Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part";>
> >> > wsp:Body()
> >> > </wssp:MessageParts>
> >> > </wssp:Confidentiality>
> >> > </wsp:Policy>
> >> > </policies>
> >> > </policyDocument>
> >> >
> >> > Maybe you or anyone see's the failure.
> >> > Thanks, trying that for 3 days now...
> >> >
> >> >
> >> >
> >> >
> >> > "casey chesnut" wrote:
> >> >
> >> > > you can encrypt with a UsernameToken too.
> >> > > both the client and the server know the password,
> >> > > so that is used to generate a key to encrypt with.
> >> > >
> >> > > on the client Request you add something like this line:
> >> > > serviceProxy.RequestSoapContext.Security.Elements.Add(new
> >> > > EncryptedData(token));
> >> > >
> >> > > the server Response adds something like this :
> >> > > ResponseSoapContext.Current.Security.Tokens.Add(usernameToken);
> >> > > ResponseSoapContext.Current.Security.Elements.Add(new
> >> > > MessageSignature(usernameToken));
> >> > > ResponseSoapContext.Current.Security.Elements.Add(new
> >> > > EncryptedData(usernameToken));
> >> > >
> >> > > Thanks,
> >> > > casey
> >> > > http://www.brains-N-brawn.com
> >> > >
> >> > >
> >> > > "AndiRudi" <AndiRudi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> > > news:B7D49B82-C019-4262-BC3C-D8E3B97C8EB2@xxxxxxxxxxxxxxxx
> >> > > > Is there any other possibility than x509 to enrcypt a Response.
> >> > > > Something
> >> > > > symmetic would be nice.
> >> > >
> >> > >
> >> > >
>
>

.

Relevant Pages

  • Re: couple more Qs on basic public key encryption techniques
    ... " encrypting the whole several megabytes with a public-key ... only to encrypt a few bytes) ". ... I'm kind of confused about this digest ... symmetric key to encrypt the message & encrypt the symmetric key with ...
    (sci.crypt)
  • Re: Where to store private key
    ... There are, however, some known techniques which are ... However being quite new to security I still don't ... > Rijndael class to encrypt the data. ... >> uses underlying symmetric key encryption based on user principal ...
    (microsoft.public.dotnet.security)
  • couple more Qs on basic public key encryption techniques
    ... Receiver decrypts it w/ sender's public key (I GUESS IT GOES ALONG ... As receiver decrypts it w/ sender's public key, he sees the digest ... encrypts symmetric key using the receiver's public key ...
    (sci.crypt)
  • Re: Basic question about RSA
    ... You "RSA Encrypt" padded data, ... message digest and sign the digest using her private key. ... the symmetric key. ...
    (sci.crypt)
  • Re: Encryption of messages between embedded system and PC?
    ... that will allow you to encrypt strings, ... No other party, not even the PC, can decrypt data ... The answer is "pieces of each frame ... frame using the symmetric cipher and the symmetric key of the cipher, ...
    (comp.arch.embedded)