 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / March 2005Encrypting the Signature of the username token
hi everyone how can we encrypt the signature by using the Username token , even if u r using the sendhash property there may be brute attacks. Any suggestions appreciated. With Many Thanks Kiran Hello kiran, You should be able to in addition to encrypting the contents of the message and ecrypt the username token itself [0] [0] - http://benjaminm.net/PermaLink.aspx?guid=87fd974c-1f77-437f-8191-6e6fd92f831f HTH Regards, Dilip Krishnan MCAD, MCSD.net dkrishnan at geniant dot com http://www.geniant.com > hi everyone > [quoted text clipped - 5 lines] > > Kiran See this : http://www.softwaremaker.net/blog/PermaLink,guid,43d85031-3e0b-48a7-bdd7-1f49932 db40a.aspx  SignatureThank you. Regards, William T (Softwaremaker) http://www.softwaremaker.net/blog ========================================= > hi everyone > [quoted text clipped - 5 lines] > > Kiran Thanks Willaim and dilip Your g8 > See this : > http://www.softwaremaker.net/blog/PermaLink,guid,43d85031-3e0b-48a7-bdd7-1f49932 db40a.aspx [quoted text clipped - 8 lines] > > > > Kiran Thanks for the solution Dilip & William Currently i am working on router I am unable to call to different webservices using a router , Router looks like this <?xml version="1.0" ?> <r:referrals xmlns:r="http://schemas.xmlsoap.org/ws/2001/10/referral"> <r:ref> <r:for> <r:exact>http://192.168.200.44/RouterService/StockService.asmx</r:exact> </r:for> <r:if /> <r:go> <r:via>http://192.168.200.122/StockService/StockService.asmx</r:via> </r:go> <r:refId>uuid:fa469956-0057-4e77-962a-81c5e292f2ae</r:refId> </r:ref> <!--This is for second service --> <r:ref> <r:for> <r:exact>http://192.168.200.44/RouterService/StockService1.asmx</r:exact> </r:for> <r:if /> <r:go> <r:via>http://192.168.200.126/WebService1/Service1.asmx</r:via> </r:go> <r:refId>uuid:267ec72e-5a68-4c54-a872-69c3ba6818ee</r:refId> </r:ref> </r:referrals> stockService and Service1 are two different services and RouterService is the router .. It throws the following exception Calling http://192.168.200.44/RouterService/StockService.asmx Web Service called successfully. Simple view: Symbol: FABRIKAM Name: Fabrikam, Inc. Last Price: 120 Previous Change: 5.5% Symbol: CONTOSO Name: Contoso Corp. Last Price: 50.07 Previous Change: 7.15% Calling second webservice http://192.168.200.44/RouterService/StockService1.asmx ****** Exception Raised ****** Web Exception Occured: System.Net.WebException: The request failed with HTTP sta tus 404: Not Found. at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClie ntMessage message, WebResponse response, Stream responseStream, Boolean asyncCal l) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodN ame, Object[] parameters) at StockServiceClient.Service1.HelloWorld() in c:\program files\microsoft wse \v2.0\samples\cs\quickstart\routing\routingclient\service1.cs:line 41 at StockServiceClient.StockServiceClient.Run() in c:\program files\microsoft wse\v2.0\samples\cs\quickstart\routing\routingclient\stockserviceclient.cs:line 95 at StockServiceClient.StockServiceClient.Main(String[] args) in c:\program fi les\microsoft wse\v2.0\samples\cs\quickstart\routing\routingclient\stockservicec lient.cs:line 53 ****************************** Any suggestions pls With Many Thanks in advance Kiran > Thanks Willaim and dilip > [quoted text clipped - 12 lines] > > > > > > Kiran Hi Kiran, Are you still experiencing problems with this scenario. Thanks, Sidd [MSFT] > Thanks for the solution Dilip & William > [quoted text clipped - 88 lines] > at StockServiceClient.StockServiceClient.Run() in c:\program > files\microsoft wse\v2.0\samples\cs\quickstart\routing\routingclient\stockserviceclient.cs:l ine > 95 > at StockServiceClient.StockServiceClient.Main(String[] args) in [quoted text clipped - 14 lines] > > > > > See this : http://www.softwaremaker.net/blog/PermaLink,guid,43d85031-3e0b-48a7-bdd7-1f49932 db40a.aspx > > > > hi everyone > > > > [quoted text clipped - 5 lines] > > > > > > > > Kiran hi sidi that problem is solved , i am running into different problem currently Using policy wen i try to invoke two different services in the same virtual directory for two requests its creating two security context tokens. I just included one more <endpoint uri> in the policy file. When we use code we didnt face any problems, with same SCT the two methods are invoked. Do u have any solution for this . Policy file looks like this.. <?xml version="1.0" encoding="utf-8"?> <policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy"> <mappings> <endpoint uri="http://serv1/SecureConvCodeService/hello.asmx"> <defaultOperation> <request policy="" /> <response policy="" /> <fault policy="" /> </defaultOperation> <operation requestAction="http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT"> <request policy="" /> <response policy="" /> <fault policy="" /> </operation> </endpoint> <endpoint uri="http://serv1/SecureConvCodeService/SecureConvService.asmx"> <defaultOperation> <request policy="#Sign-SCT-Encrypt-SCT" /> <response policy="" /> <fault policy="" /> </defaultOperation> <operation requestAction="http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT"> <request policy="" /> <response policy="" /> <fault policy="" /> </operation> </endpoint> </mappings> <policies xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing" xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsp:Policy wsu:Id="Sign-SCT-Encrypt-SCT"> <!--MessagePredicate is used to require headers. This assertion should be used along with the Integrity assertion when the presence of the signed element is required. NOTE: this assertion does not do anything for enforcement (send-side) policy.--> <wsp:MessagePredicate wsp:Usage="wsp:Required" Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wse:Timestamp()</wsp:MessagePredicate> <wssp:Integrity wsp:Usage="wsp:Required"> <wssp:TokenInfo> <!--The SecurityToken element within the TokenInfo element describes which token type must be used for Signing.--> <wssp:SecurityToken> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct</wssp:TokenType> <wssp:Claims> <wse:BaseToken> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1 .0#UsernameToken</wssp:TokenType> </wssp:SecurityToken> </wse:BaseToken> <wse:IssuerToken> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X 509v3</wssp:TokenType> <wssp:TokenIssuer>DC=com, DC=everest, CN=EverestCsr</wssp:TokenIssuer> <wssp:Claims> <wssp:SubjectName MatchType="wssp:Exact">DC=com, DC=everest, CN=Users, CN=Administrator</wssp:SubjectName> <wssp:X509Extension OID="2.5.29.14" MatchType="wssp:Exact">0Ue6rBPQiujm0dbW4HptwVcym8w=</wssp:X509Extension> </wssp:Claims> </wssp:SecurityToken> </wse:IssuerToken> </wssp:Claims> </wssp:SecurityToken> </wssp:TokenInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From) wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts> </wssp:Integrity> <!--The Confidentiality assertion is used to ensure that the SOAP Body is encrypted.--> <wssp:Confidentiality wsp:Usage="wsp:Required"> <wssp:KeyInfo> <!--The SecurityToken element within the KeyInfo element describes which token type must be used for Encryption.--> <wssp:SecurityToken> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct</wssp:TokenType> <wssp:Claims> <wse:BaseToken> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1 .0#UsernameToken</wssp:TokenType> </wssp:SecurityToken> </wse:BaseToken> <wse:IssuerToken> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X 509v3</wssp:TokenType> <wssp:TokenIssuer>DC=com, DC=everest, CN=EverestCsr</wssp:TokenIssuer> <wssp:Claims> <wssp:SubjectName MatchType="wssp:Exact">DC=com, DC=everest, CN=Users, CN=Administrator</wssp:SubjectName> <wssp:X509Extension OID="2.5.29.14" MatchType="wssp:Exact">0Ue6rBPQiujm0dbW4HptwVcym8w=</wssp:X509Extension> </wssp:Claims> </wssp:SecurityToken> </wse:IssuerToken> </wssp:Claims> </wssp:SecurityToken> </wssp:KeyInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts> </wssp:Confidentiality> </wsp:Policy> > Hi Kiran, > [quoted text clipped - 133 lines] > > > > > > > > > > Kiran The entire usernameToken is encrypted and nothing is sent over in ClearText even tho the passwordOption is set to SendPlainText This is fine if we use code how to do with WS-Policy. Softwaremaker , dilip any suggestions ur support is fully appreciated.. > See this : > http://www.softwaremaker.net/blog/PermaLink,guid,43d85031-3e0b-48a7-bdd7-1f49932 db40a.aspx [quoted text clipped - 8 lines] > > > > Kiran Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.