Re: hashed password and UsernameTokenManager

{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Thanks for your response Phil,
\par
\par I think your current implementation is good according to the custom UsernameTokenmanager model. And as for the PasswordOptions.SendHashed, from the WSE documentation, you can find that it just use SHA1 to hash the password, which provide a buildin option for you to hash the password in case that some application directly store original clear text password (also let user input at client) in db....
\par
\par Regards,
\par
\par Steven Cheng
\par Microsoft Online Support
\par
\par Get Secure! www.microsoft.com/security
\par (This posting is provided "AS IS", with no warranties, and confers no rights.)
\par
\par
\par \pard\li720 --------------------
\par From: "Phil Lee" <phil.lee@xxxxxxxxxxxxxxxxx>
\par References: <Or4PeYGEGHA.1508@xxxxxxxxxxxxxxxxxxxx> <O$CZhCKEGHA.1028@xxxxxxxxxxxxxxxxxxxx> <o0$XGHPEGHA.1236@xxxxxxxxxxxxxxxxxxxxx> <OT$EIjgEGHA.3728@xxxxxxxxxxxxxxxxxxxx> <BERz8onEGHA.3764@xxxxxxxxxxxxxxxxxxxxx>
\par Subject: Re: hashed password and UsernameTokenManager
\par Date: Tue, 10 Jan 2006 13:47:57 -0000
\par Lines: 184
\par X-Priority: 3
\par X-MSMail-Priority: Normal
\par X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
\par X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
\par X-RFC2646: Format=Flowed; Original
\par Message-ID: <#JXp2xeFGHA.1032@xxxxxxxxxxxxxxxxxxxx>
\par Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par NNTP-Posting-Host: host86-132-72-9.range86-132.btcentralplus.com 86.132.72.9
\par Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
\par Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.framework.webservices.enhancements:8085
\par X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par
\par Steven,
\par
\par this is what I have implemented:
\par
\par Client:
\par
\par proxy.SetClientCredential( new UsernameToken( "name", "base 64 encoded
\par MD5 hashed password", PasswordOptions.SendPlainText ) );
\par
\par Server:
\par
\par string AuthenticateToken(UsernameToken token)
\par \{
\par lookup salt and iteratively hashed salted password equivalent from
\par DB
\par salt and iteratively hash token.Password
\par
\par if they match then return token.Password.
\par \}
\par
\par But I am still confused as to the reason for having
\par PasswordOptions.SendHashed.
\par
\par I will have to tell clients of the web service that it's good practice to
\par send a password equivalent and not the cleartext password, but I can't force
\par them to.
\par
\par Regards
\par Phil Lee
\par
\par
\par "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
\par news:BERz8onEGHA.3764@xxxxxxxxxxxxxxxxxxxxxxxx
\par > Thanks for your response Phil,
\par >
\par > Yes, storing password hash is the best practice... However, the cleartext
\par > mentioned here is just what the value which is used to construct the
\par > UsernameToken at clientside... Because when it used usernametoken or
\par > derived token to encrypte or sign the message, we'll need the original
\par > cleartext value to construct the token key and decrypte the message....
\par > Thus, if your custom security database stores only password hash, you need
\par > to also use hashed password text to construct the username token...
\par >
\par > Thanks,
\par >
\par > Steven Cheng
\par > Microsoft Online Support
\par >
\par > Get Secure! www.microsoft.com/security
\par > (This posting is provided "AS IS", with no warranties, and confers no
\par > rights.)
\par >
\par >
\par > --------------------
\par > From: "Phil Lee" <phil.lee@xxxxxxxxxxxxxxxxx>
\par > References: <Or4PeYGEGHA.1508@xxxxxxxxxxxxxxxxxxxx>
\par > <O$CZhCKEGHA.1028@xxxxxxxxxxxxxxxxxxxx>
\par > <o0$XGHPEGHA.1236@xxxxxxxxxxxxxxxxxxxxx>
\par > Subject: Re: hashed password and UsernameTokenManager
\par > Date: Thu, 5 Jan 2006 15:00:34 -0000
\par > Lines: 103
\par > X-Priority: 3
\par > X-MSMail-Priority: Normal
\par > X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
\par > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
\par > X-RFC2646: Format=Flowed; Original
\par > Message-ID: <OT$EIjgEGHA.3728@xxxxxxxxxxxxxxxxxxxx>
\par > Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par > NNTP-Posting-Host: host86-132-72-9.range86-132.btcentralplus.com
\par > 86.132.72.9
\par > Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
\par > Xref: TK2MSFTNGXA02.phx.gbl
\par > microsoft.public.dotnet.framework.webservices.enhancements:8051
\par > X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par >
\par > Steven,
\par >
\par > isn't is best practice to store a password equivalent and not a clear text
\par > password in the database?
\par >
\par > I suppose I can just send a password marked as cleartext but it would have
\par > actually been hashed on the client. I could then salt and hash again
\par > before
\par > storing in the database. I'm using this article
\par > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwse/html/
\par > securusernametoken.asp
\par > for inspiration.
\par >
\par > Regards
\par > Phil Lee
\par >
\par > "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
\par > news:o0$XGHPEGHA.1236@xxxxxxxxxxxxxxxxxxxxxxxx
\par >> Hi Phil,
\par >>
\par >> I agree with Pablo, the "AuthenticateToken" method of the custom
\par >> UsernameTokenManager require us to return the correct CLEAR TEXT
\par >> password... (so that the runtime will use it for sequential decrypting
\par >> or
\par >> sigining....) So in other words, this is usually used when the account
\par >> database is a custom storage ( a relational database table....) or in xml
\par >> file.... And it's not usable for windows security authority since no
\par >> clear text password is available...
\par >>
\par >> Please feel free to post here if there're anything else unclear.
\par >>
\par >> Regards,
\par >>
\par >> Steven Cheng
\par >> Microsoft Online Support
\par >>
\par >> Get Secure! www.microsoft.com/security
\par >> (This posting is provided "AS IS", with no warranties, and confers no
\par >> rights.)
\par >> --------------------
\par >> From: "Pablo Cibraro" <pcibraro@xxxxxxxxxxx>
\par >> References: <Or4PeYGEGHA.1508@xxxxxxxxxxxxxxxxxxxx>
\par >> Subject: Re: hashed password and UsernameTokenManager
\par >> Date: Tue, 3 Jan 2006 17:02:40 -0300
\par >> Lines: 44
\par >> X-Priority: 3
\par >> X-MSMail-Priority: Normal
\par >> X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
\par >> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
\par >> X-RFC2646: Format=Flowed; Response
\par >> Message-ID: <O$CZhCKEGHA.1028@xxxxxxxxxxxxxxxxxxxx>
\par >> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par >> NNTP-Posting-Host: 200.123.99.98
\par >> Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
\par >> Xref: TK2MSFTNGXA02.phx.gbl
\par >> microsoft.public.dotnet.framework.webservices.enhancements:8027
\par >> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par >>
\par >> Hi Phil,
\par >> You have to return the original password. You will have to get it from
\par >> somewhere, e.g. a database.
\par >> WSE computes a hash with the password that you returns and then compares
\par >> that hash with the Usernametoken's hash.
\par >>
\par >> Regards,
\par >> Pablo Cibraro
\par >> http://weblogs.asp.net/cibrax
\par >> http://www.lagash.com
\par >>
\par >> "Phil Lee" <phil.lee@xxxxxxxxxxxxxxxxx> wrote in message
\par >> news:Or4PeYGEGHA.1508@xxxxxxxxxxxxxxxxxxxxxxx
\par >>> Hi,
\par >>>
\par >>> I'm using WSE3 username/password over certificate - I can implement my
\par >> own
\par >>> (test) UsernameTokenManager like this:
\par >>>
\par >>> public class MyUsernameTokenManager : UsernameTokenManager
\par >>> \{
\par >>> ...
\par >>>
\par >>> protected override string AuthenticateToken( UsernameToken token,
\par >>> string authenticatedPassword )
\par >>> \{
\par >>> // for clear text passwords
\par >>> return token.Password; // This is just for test purposes
\par >>>
\par >>>
\par >>> \}
\par >>> \}
\par >>>
\par >>> This works fine.
\par >>>
\par >>> If however I want to send hashed passwords using
\par >>> PasswordOption.SendHashed, what do I need to return from
\par >>> AuthenticateToken?
\par >>> Returning token.PasswordDigest.ToString() doesn't work.
\par >>>
\par >>> Regards
\par >>> Phil Lee
\par >>>
\par >>
\par >>
\par >>
\par >
\par >
\par >
\par
\par
\par \pard
\par
\par }