Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / November 2004

Tip: Looking for answers? Try searching our database.

WS Secure Conversation -UsernameToken Encryption- PLEASE PLEASE HELP ME-Very urgent

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Sumaira Ahmad - 17 Nov 2004 16:59 GMT
Hi,

Please help me solve this problem.. This is very urgent, i have to
demo it tommorrow and need to fix it before tomorrow..

I am using WS Secure Conversation and am using a USername Token to
sign the request for a initial request from the client to tokenissuer
for securitycontexttoken.
I would like to encrypt the UsernameToken before sending it across.
My code patch is as below:

SecurityToken token  = new UsernameToken(t_username.Text,
t_password.Text,
                                      PasswordOption.SendPlainText);

// Create a SecurityContextTokenServiceClient that will get the
SecurityContextToken
string secureConvEndpoint =
ConfigurationSettings.AppSettings["tokenIssuer"];
SecurityContextTokenServiceClient client = new
SecurityContextTokenServiceClient(new Uri( secureConvEndpoint ));

// retrieve server's cert
SecurityToken issuerToken = GetServerTokenForEncryption();

// Sign the security token request.
client.RequestSoapContext.Security.Elements.Add( new EncryptedData(
issuerToken, string.Format("#{0}",token.Id )) );

// Request the token, use the signing token as the Base
SecurityContextToken sct =
client.IssueSecurityContextTokenAuthenticated(token, issuerToken);

But somehow I am not able to access the RequestSoapContext of the
client proxy.
It gives me error:
'Microsoft.Web.Services2.Security.SecurityTokenServiceClient.RequestSoapContext'
is inaccessible due to its protection level

I cannot send the password as hashed because I am authenticating
against ADAM hence password has to go as plain text.

Can someone tell me how I can access the RequestSoapConext of the
proxy so that I can encrypt the usernametoken that is carried in the
SOAP Header to the token issuer.
Please help me.. I have an urgent demonstration to show tommorrow and
need to get it work.

PLEASE PLEASE HELP ME...
Regards,
Sumaira
Reply to this Message
Martin Kulov - 19 Nov 2004 10:24 GMT
Hi Sumaira,

I had this problem two months ago when I prepared a presentation also. It seems that WSE is unable to encrypt the UsernameToken in this version. As Hervey pointed out there will be progress in this area in WSE SP2 which we expect to be available very soon. I hope your demo went smooth though.

Best regards,

Martin Kulov
www.codeattest.com
Reply to this Message
Sumaira Ahmad - 19 Nov 2004 18:30 GMT
Martin,

Thanks for replying. So how did u plan to go about sending the
password or UsernameToken in encrypted/hashed form??? Did u find a
solution to it.or did u have a workaround??
Please let me know.. I haven't been able to figure out what to do..I
would really appreciate your reply..
Thanks,
Sumaira

> Hi Sumaira,
>
[quoted text clipped - 4 lines]
> Martin Kulov
> www.codeattest.com
Reply to this Message
Martin Kulov - 20 Nov 2004 01:26 GMT
Hi Sumaira,

Well I have not found a solution yet. I just gave my presentation and said them 'it is really nice to use UsernameToken, but for now, as you see, it requires SSL for the initiating the conversation. Go now and start using it and by the time you are prepared there will be solution for encrypting the token.' :).
That's it.

HTH,
Martin Kulov
www.codeattest.com
Reply to this Message
Softwaremaker - 21 Nov 2004 00:22 GMT
1) You can send the password in hash or encrypted form via the
passwordoption enum

2) You can also send the usernametoken in encrypted form as well.
http://www.softwaremaker.net/blog/PermaLink,guid,43d85031-3e0b-48a7-bdd7-1f49932
db40a.aspx

hth.
Signature

Thank you.

Regards,
Softwaremaker

==================================

> Martin,
>
[quoted text clipped - 9 lines]
> >
> > I had this problem two months ago when I prepared a presentation also. It seems that WSE is unable to encrypt the UsernameToken in this version. As
Hervey pointed out there will be progress in this area in WSE SP2 which we
expect to be available very soon. I hope your demo went smooth though.

> > Best regards,
> >
> > Martin Kulov
> > www.codeattest.com
Reply to this Message
Henning Krause [MVP] - 21 Nov 2004 10:12 GMT
Hello,

> 2) You can also send the usernametoken in encrypted form as well.

http://www.softwaremaker.net/blog/PermaLink,guid,43d85031-3e0b-48a7-bdd7-1f49932
db40a.aspx

The problem with this approach is that the server must have a certificate.

While the certificate itself is not a problem for me, the circumstance that
the client program must know the public key of that certificate is certainly
one.

And hardcoding the public key into the client is not an option for me.

What I would like to do is the following:

1. Client requests the server public key from a special webservice on the
server.
2. Client encrypts the Usernametoken with the servers public key and signs
it with its own private key.
3. The Server creates a security token and encrypts it with the clients
public key.
4. The client uses this security token to call the webservice.

After step 2, both actors have exchanged each public keys, thus they can
protect the entire comunication. I would create the key-pairs on each
application start.

Ideally this would be implemented with WS-SecureConversation.

A propos WS-SecureConversation. Does WSE implement some sort of
sequence-numbering in WS-SC? I only saw a relative short ticket-lifetime as
replay detection, whereas the WS-SC specification mentions sequence
numbering.

So, is that even possible and what must I do to asymetrically encrypt the
SecurityContextToken with my own public/private keypair?

Greetings,
Henning Krause [MVP]

> > Martin,
> >
[quoted text clipped - 19 lines]
> > > Martin Kulov
> > > www.codeattest.com
Reply to this Message
Martin Kulov - 21 Nov 2004 17:10 GMT
> encrypted form via the passwordoption enum

What is this enum value?

Martin Kulov
www.codeattest.com
Reply to this Message
Henning Krause [MVP] - 21 Nov 2004 19:32 GMT
Hello,

this enumeration allows you to specify how the password is sent over the
wire: Either in cleartext or a hashed version or not sent at all.

If you are using the first option (Unencrypted) you shuld secure the
password otherwise, i.e. with SSL/TLS or an X.509 certificate.

Greetings,
Henning Krause [MVP]
==========================
Visit my website: http://www.infinitec.de
Try my free Exchange Explorer: Mistaya
(http://www.infinitec.de/?page=products)

> > encrypted form via the passwordoption enum
>
> What is this enum value?
>
> Martin Kulov
> www.codeattest.com
Reply to this Message
Martin Kulov - 22 Nov 2004 07:47 GMT
Hi Henning,

I am aware that there is enumeration for setting password in clear text or hashed value. I did not understand what is its value for sending it in encrypted form.

Softwaremaker wrote:
1) You can send the password in hash or encrypted form via the passwordoption enum

So what is the value of the enum for sending the password in encrypted form.

Thanks,
Martin Kulov
www.codeattest.com
Reply to this Message
Henning Krause [MVP] - 22 Nov 2004 09:44 GMT
Hello,

you can't. That enumeration has the three values I outlined before: None,
Hashed, Plaintext.

If you want to encrypt it, you must encrypt the usertoken with an X.509
Certificate or similar.

Greetings,
Henning Krause [MVP]
==========================
Visit my website: http://www.infinitec.de
Try my free Exchange Explorer: Mistaya
(http://www.infinitec.de/?page=products)

> Hi Henning,
>
> I am aware that there is enumeration for setting password in clear text or hashed value. I did not understand what is its value for sending it in
encrypted form.

> Softwaremaker wrote:
> 1) You can send the password in hash or encrypted form via the passwordoption enum
[quoted text clipped - 4 lines]
> Martin Kulov
> www.codeattest.com
Reply to this Message
Sumaira Ahmad - 23 Nov 2004 03:07 GMT
The problem with WS secure conversation is this:

When u want to send the password as PlainText( because u are
authenticating against Active Directory or SQL that requires plainText
Password option), there is no way of encrypting the Username token.

In Normal scenario if you want to send the password in Plain Text, you
encrypt the username token as follows:

EncryptedData encrypted = new EncryptedData(encrToken,
usernameToken.Id)
proxy.RequestSoapContext.Elements.Add(encrypted)

But in Secure Conversation there is a bug( according to me).

See code below

// Create a SecurityContextTokenServiceClient that will get the
SecurityContextToken
 string secureConvEndpoint =
ConfigurationSettings.AppSettings["tokenIssuer"];
 SecurityContextTokenServiceClient client = new
SecurityContextTokenServiceClient(new Uri( secureConvEndpoint ));

Now ideally you should be able to do this:

  client.RequestSoapContext.Security.Elements.Add( new EncryptedData(
issuerToken,   string.Format("#{0}",usernameToken.Id )) );

But when I do this, it says:
that the RequestSoapContext of client is a protected member and hence
cannot be accessed.

Now the next option would be to encrypt ONLY the password using X.509
certs or whatever and add it to the UsernameToken. and send the
UsernameToken as it is.Then on the server it should decrypt it..
Is that possible???I haven't tried it yet.. Can u suggest a workaround
( other not SSL)..
Please let me know..I have spent God knows how many days trying to
find a solution to it..

Thanks,
Sumaira

> Hello,
>
[quoted text clipped - 27 lines]
> > Martin Kulov
> > www.codeattest.com
Reply to this Message
Sumaira Ahmad - 23 Nov 2004 03:30 GMT
All examples on WSE Secure Conversation, wherein we have to use a
token issuer shows u can access the RequestSoapContext for a
SecuritTokenServiceClient Proxy, but as per

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wseref/html/P_M
icrosoft_Web_Services2_Security_SecurityTokenServiceClient_RequestSoapContext.as
p

it is a protected member?? Sorry if this is a foolish question , but
is there anyway of changing its property to public from protected??

Thanks,
Sumaira

> Hello,
>
[quoted text clipped - 27 lines]
> > Martin Kulov
> > www.codeattest.com
Reply to this Message
Softwaremaker - 23 Nov 2004 10:16 GMT
Sorry, my mistake. I meant hash, plain text or no-show password. I wonder
how the word encrypted got in there....hmmm...

Thanks.
=================================================

> 1) You can send the password in hash or encrypted form via the
> passwordoption enum
>
> 2) You can also send the usernametoken in encrypted form as well.

http://www.softwaremaker.net/blog/PermaLink,guid,43d85031-3e0b-48a7-bdd7-1f49932
db40a.aspx

> hth.
> > Martin,
[quoted text clipped - 20 lines]
> > > Martin Kulov
> > > www.codeattest.com
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.