Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / December 2004

Tip: Looking for answers? Try searching our database.

Kerberos and UsernameToken Question

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
RK - 10 Nov 2004 04:42 GMT
Assume that I am sending a message encrypted from the client to a service.
If a hacker intercepts the call, will he not be able to decrypt the message
using the token available in the soap envelope? Will it be more secure if I
use Kerberos Token? Why?

Thanks in advance

Kishore
Reply to this Message
Softwaremaker - 10 Nov 2004 04:51 GMT
> If a hacker intercepts the call, will he not be able to decrypt the message
> using the token available in the soap envelope?

The tokens used to encrypt the message can be separated into 2 types of
encryption algorithms.
[1] Username and Password - Shared Secret (Symmetric Algo)
[2] X509 Digital Certs - Public-Private Key (Asymmetric Algo)

In [2], the Decryption key (PrivateKey) is not sent across the wire, only
the holder of the PrivateKey can decrypt this message.
In [1], it is based on a common shared key. Therefore, it is imperative that
both sides have the common secret key (usually the pwd) to decrypt the
message. Tokens usually sent this way should NOT sent over the password. The
username is the referencing point. If a password is to be sent, send a
hashed version. If a password needs to be sent over in cleartext for some
reason, encrypt the entire usernameToken or use transport-layer security.

Hope this clears some confusion.

Signature

Thank you.

Regards,
Softwaremaker
=========================================

> Assume that I am sending a message encrypted from the client to a service.
> If a hacker intercepts the call, will he not be able to decrypt the message
[quoted text clipped - 4 lines]
>
> Kishore
Reply to this Message
RK - 10 Nov 2004 08:13 GMT
Thanks for the answer.

But I am not using X509Token here. I would like to know what algorithm WSE
uses to encrypt and decrypt using KerberosToken. If a hacker gets hold of
the envelope, and since the KerberosToken is also available in the envelope,
will he be able to use the KerberosToken to decrypt the envelope (assuming
that the KerberosToken was used for encryption)?

>> If a hacker intercepts the call, will he not be able to decrypt the
> message
[quoted text clipped - 29 lines]
>>
>> Kishore
Reply to this Message
Rory Plaire - 02 Dec 2004 20:39 GMT
> Thanks for the answer.
>
[quoted text clipped - 3 lines]
> will he be able to use the KerberosToken to decrypt the envelope (assuming
> that the KerberosToken was used for encryption)?

No, since the token is generated from the Kerberos Session Key, which
only the three "heads" of the protocol know: the sender, the reciever,
and the Key Distribution Server (KDC). Read up on Kerberos
(http://www.microsoft.com/windows2000/techinfo/howitworks/security/kerberos.asp)
for more details...

-rory
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.