Re: how can we restrict what certificate WSE will use?

thanks Steven, I'll be using a X509 certificate.
will the custom X509SecurityTokenManager be called before decryption and
signature verification?
you mentioned 'since his private key is not valid so, the signature of his
message won't be able to be verified', actually I think the hacker can send
in a request signed with his valid private key, and since his public key is
sent alone with the request, so WSE2 can verify the request signature
successfully, true?
does WSE2 called X509SecurityTokenManager to validate a certificate before
verifying request signature?

thanks,
-Jason

"Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:TF7tg7MvFHA.780@xxxxxxxxxxxxxxxxxxxxxxxx
> Hi Jason,
>
> As for the question on the X509 certificate verification in .net
webservice
> using WSE, here are some of my understanding and suggestions:
>
> When a hacker use your public key (server certificate) to encrypte the
> message, it's ok. However, since his private key is not valid so, the
> signature of his message won't be able to be verified at the serverside.
> Also, we must have authentication protection at serverside through
> securityTokens(UsernameToken or X509CertificateToken ...). So are you
> using X509CertificateToken for authentication? If so you can consider
> defining a custom TokenManager class for X509Certificate Authentication.
> We can create such a class which dervied from the
>
> Microsoft.Web.Services2.Security.Tokens.X509SecurityTokenManager class
>
> This class has a "AuthenticateToken" method
>
> protected virtual void AuthenticateToken(
> X509SecurityToken token
> );
>
> which is used to verify the clientside x509certificate token, we can
> override this method in our custom manager class to do our own verfiy
> processing. Also, you can search the class in the WSE documentation and
> there're also reference on our to register custom Token Manager class
> within service's config file.
>
> Thanks,
>
> Steven Cheng
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
>
> --------------------
> From: <jason.chen@xxxxxxxxxxxxxxxxx>
> Subject: how can we restrict what certificate WSE will use?
> Date: Sun, 18 Sep 2005 17:07:24 -0400
> Lines: 18
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.3790.326
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
> Message-ID: <O9Bv4TJvFHA.3236@xxxxxxxxxxxxxxxxxxxx>
> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
> NNTP-Posting-Host: a7cebc03.cst.lightpath.net 167.206.188.3
> Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
> Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.dotnet.framework.webservices.enhancements:4914
> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
>
> assume I'm hosting a webservice, I have 2 trusted clients consume my
> webservice, each client will send in properly encrypted and signed
request,
> WSE will take care of decryption and verification of the signature,
> everything works great. now there is a hacker, tries to consume my
> webservice, he encrypted his request using my public key, and signed his
> request using his own private key, when I received the request WSE will
> automatically decrypt it and verify the signature successfully before
> reaching my code where I verify it's a trusted client. as you can see, the
> decryption and signature verify happens automatically before I can check
if
> it's a trusted client.
>
> my question is, is there a way I can short circuit this process so that I
> can terminate the request before decryption/ signature verification
happens?
>
> thanks,
> -Jason
>
>
>


.

Relevant Pages

  • Re: how can we restrict what certificate WSE will use?
    ... \par Microsoft Online Support ... \par you mentioned 'since his private key is not valid so, the signature of his ... \par in a request signed with his valid private key, and since his public key is ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: how can we restrict what certificate WSE will use?
    ... > X509SecurityTokenManager to verify the request is from a trusted client. ... >> decrypte and signature validation process. ... >> in a request signed with his valid private key, ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • How can I generate a PKCS#10 request programatically?
    ... I am using a private key on a hardware token through RSACryptoServiceProvider and need to generate a PKCS#10 request for a signature on that key. ...
    (microsoft.public.dotnet.security)
  • Re: RSA breaking vs. factoring
    ... affects the two possible usages of RSA both for encryption (first public, ... then private key) and for signing ... are identical to encryption, in reverse order. ... Digital signature generation takes an input message (which may be quite ...
    (sci.crypt)
  • Re: how can we restrict what certificate WSE will use?
    ... the valid x509 certificate which is used to identify him'. ... X509SecurityTokenManager to verify the request is from a trusted client. ... the problem is that he can not passed the authentication (suppose we ... > decrypte and signature validation process. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)