Re: how can we restrict what certificate WSE will use?

---

• From: <jason.chen@xxxxxxxxxxxxxxxxx>
• Date: Tue, 20 Sep 2005 12:30:50 -0400

---

HI Steven,
thanks for the reply, it's good to know that X509SecurityTokenManager is
called when X509SecurityToken is found in the context.
there seems to be some disconnections where you say 'the hacker dosn't have
the valid x509 certificate which is used to identify him'. I think the
hacker can buy a valid x509 from Verisign and use it to identify him when
accessing the webservice, right? the scenario I'm talking about is not man
in the middle attack, it's more like how to prevent unwanted clients to
access the webservice. I guess the solution is to write a custom
X509SecurityTokenManager to verify the request is from a trusted client.
and only requests passed the custom X509SecurityTokenManager will be
decrypted, requests didn't pass the custom X509SecurityTokenManager will not
be decrypted by WSE2, even though it might be properly encrypted and signed.

am I right about this process?

thanks,
-Jason

"Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:aeRnsfcvFHA.580@xxxxxxxxxxxxxxxxxxxxxxxx
> Hi Jason,
>
> The WSE2 will call X509SecurityTokenManager when find X509SecurityToken in
> the request Message's Security Context. However, the default
implementation
> of the verification is doing nothing, we can override it to do our custom
> verification task (you can refer to the WSE2 's documentatin). Also, for
> the hack which replace the message with the one signed by its own private
> key, the problem is that he can not passed the authentication (suppose we
> use Certificate authentication), since the hacker dosn't have the valid
> x509 certificate which is used to identitfy him, he won't pass the
> authentication at serverside , event no need to consider the sequential
> decrypte and signature validation process. On the internet , a secure
> channel include three elements:
>
> consistency, confidentiality and identification. And the identification is
> just used to determine the clientside's identity, generally we call this
> process "Authentication". So when we use X509 certificate token for
> auhenticaiton, we force the clientside to provide a server recoginzed
> certificate token which the hacker won't have. This certificate could be
> different from the one we used to sign or encrypt the message.
>
> Thanks,
>
> Steven Cheng
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
> --------------------
> From: <jason.chen@xxxxxxxxxxxxxxxxx>
> References: <O9Bv4TJvFHA.3236@xxxxxxxxxxxxxxxxxxxx>
> <TF7tg7MvFHA.780@xxxxxxxxxxxxxxxxxxxxx>
> Subject: Re: how can we restrict what certificate WSE will use?
> Date: Mon, 19 Sep 2005 18:26:01 -0400
> Lines: 96
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.3790.326
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
> Message-ID: <OA5sekWvFHA.2072@xxxxxxxxxxxxxxxxxxxx>
> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
> NNTP-Posting-Host: a7cebc03.cst.lightpath.net 167.206.188.3
> Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
> Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.dotnet.framework.webservices.enhancements:4922
> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
>
> thanks Steven, I'll be using a X509 certificate.
> will the custom X509SecurityTokenManager be called before decryption and
> signature verification?
> you mentioned 'since his private key is not valid so, the signature of his
> message won't be able to be verified', actually I think the hacker can
send
> in a request signed with his valid private key, and since his public key
is
> sent alone with the request, so WSE2 can verify the request signature
> successfully, true?
> does WSE2 called X509SecurityTokenManager to validate a certificate before
> verifying request signature?
>
> thanks,
> -Jason
>
> "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
> news:TF7tg7MvFHA.780@xxxxxxxxxxxxxxxxxxxxxxxx
> > Hi Jason,
> >
> > As for the question on the X509 certificate verification in .net
> webservice
> > using WSE, here are some of my understanding and suggestions:
> >
> > When a hacker use your public key (server certificate) to encrypte the
> > message, it's ok. However, since his private key is not valid so, the
> > signature of his message won't be able to be verified at the serverside.
> > Also, we must have authentication protection at serverside through
> > securityTokens(UsernameToken or X509CertificateToken ...). So are you
> > using X509CertificateToken for authentication? If so you can consider
> > defining a custom TokenManager class for X509Certificate Authentication.
> > We can create such a class which dervied from the
> >
> > Microsoft.Web.Services2.Security.Tokens.X509SecurityTokenManager class
> >
> > This class has a "AuthenticateToken" method
> >
> > protected virtual void AuthenticateToken(
> > X509SecurityToken token
> > );
> >
> > which is used to verify the clientside x509certificate token, we can
> > override this method in our custom manager class to do our own verfiy
> > processing. Also, you can search the class in the WSE documentation and
> > there're also reference on our to register custom Token Manager class
> > within service's config file.
> >
> > Thanks,
> >
> > Steven Cheng
> > Microsoft Online Support
> >
> > Get Secure! www.microsoft.com/security
> > (This posting is provided "AS IS", with no warranties, and confers no
> > rights.)
> >
> >
> > --------------------
> > From: <jason.chen@xxxxxxxxxxxxxxxxx>
> > Subject: how can we restrict what certificate WSE will use?
> > Date: Sun, 18 Sep 2005 17:07:24 -0400
> > Lines: 18
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > X-Newsreader: Microsoft Outlook Express 6.00.3790.326
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
> > Message-ID: <O9Bv4TJvFHA.3236@xxxxxxxxxxxxxxxxxxxx>
> > Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
> > NNTP-Posting-Host: a7cebc03.cst.lightpath.net 167.206.188.3
> > Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
> > Xref: TK2MSFTNGXA01.phx.gbl
> > microsoft.public.dotnet.framework.webservices.enhancements:4914
> > X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
> >
> > assume I'm hosting a webservice, I have 2 trusted clients consume my
> > webservice, each client will send in properly encrypted and signed
> request,
> > WSE will take care of decryption and verification of the signature,
> > everything works great. now there is a hacker, tries to consume my
> > webservice, he encrypted his request using my public key, and signed his
> > request using his own private key, when I received the request WSE will
> > automatically decrypt it and verify the signature successfully before
> > reaching my code where I verify it's a trusted client. as you can see,
the
> > decryption and signature verify happens automatically before I can check
> if
> > it's a trusted client.
> >
> > my question is, is there a way I can short circuit this process so that
I
> > can terminate the request before decryption/ signature verification
> happens?
> >
> > thanks,
> > -Jason
> >
> >
> >
>
>
>


.

---

• Follow-Ups:
  • Re: how can we restrict what certificate WSE will use?
    • From: Steven Cheng[MSFT]
  • Re: how can we restrict what certificate WSE will use?
    • From: William Stacey [MVP]

• References:
  • how can we restrict what certificate WSE will use?
    • From: jason.chen
  • RE: how can we restrict what certificate WSE will use?
    • From: Steven Cheng[MSFT]
  • Re: how can we restrict what certificate WSE will use?
    • From: jason.chen
  • Re: how can we restrict what certificate WSE will use?
    • From: Steven Cheng[MSFT]

• Prev by Date: Re: Should I be using WSE?
• Next by Date: FOLLOW UP - Re: what certificate to buy from Verisign ?
• Previous by thread: Re: how can we restrict what certificate WSE will use?
• Next by thread: Re: how can we restrict what certificate WSE will use?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: how can we restrict what certificate WSE will use? ... \par X509SecurityTokenManager to verify the request is from a trusted client. ... \par Subject: Re: how can we restrict what certificate WSE will use? ... \par there seems to be some disconnections where you say 'the hacker dosn't have ... \par> decrypte and signature validation process. ... (microsoft.public.dotnet.framework.webservices.enhancements) Re: how can we restrict what certificate WSE will use? ... > X509SecurityTokenManager to verify the request is from a trusted client. ... > certificate to build a valid signature and encrypted data section. ... (microsoft.public.dotnet.framework.webservices.enhancements) RE: 802.1x Authentication Fails ... Ive deleted teh certificate and tried to request a new one. ... Im making the request from the IAS server to the Enterprise CA server. ... Reason = The authentication request was not processed because the ... (microsoft.public.internet.radius) RE: 802.1x Authentication Fails ... Anyways, in order to be able to request certificates on the IAS server, you ... Ive deleted teh certificate and tried to request a new one. ... Reason = The authentication request was not processed because the ... (microsoft.public.internet.radius) Re: how can we restrict what certificate WSE will use? ... >> the valid x509 certificate which is used to identify him'. ... I guess the solution is to write a custom ... >> X509SecurityTokenManager to verify the request is from a trusted client. ... >>> decrypte and signature validation process. ... (microsoft.public.dotnet.framework.webservices.enhancements)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > DotNet  > microsoft.public.dotnet.framework.webservices.enhancements  > 2005-09