Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / March 2005

Tip: Looking for answers? Try searching our database.

WSE, WS-SecureConversation, X.509 and UsernameToken - putting all pieces together?

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Dmitriy Lapshin [C# / .NET MVP] - 04 Mar 2005 15:34 GMT
Hello,

I have several questions on the subject which I cannot answer to myself even
after digging the docs and searching Google groups. I would be glad if
someone could shed some light on the big picture.

1. What's the role of the UsernameToken in WS-SecureConversation? I
understand it is used to authenticate the client accessing the Web service.
If so, and the authentication (and respective authorisation) is done by
other means (say, restricting access to the Web service's virtual folder in
IIS), is it safe to use a 'fake' username token always guaranteed to
authenticate itself successfully?

2. In the SecureConversation sample from WSE 2.0 (the Policy one), why do I
need to install the server certificate on the client? I don't have to do so
for SSL, why this situation is different?

Signature

Sincerely,
Dmitriy Lapshin [C# / .NET MVP]
Bring the power of unit testing to the VS .NET IDE today!
http://www.x-unity.net/teststudio.aspx

Reply to this Message
hoon - 04 Mar 2005 18:15 GMT
The HTTPS/SSL session is established automatically by the browser when one
browses to a HTTPS site. The client and server can now securely send and
receive information. One can dig in deeper by looking at the TLS/SSL
specifications.

Now the question is - Why do I need to install a server certificate on the
client when HTTPS does not need it? Well, the answer is that WSE clients and
sites do not negotiate like HTTPS/SSL. This is a major shortcoming of WSE.
Wouldn't it be  nice to have an API/ability that will negotiate a security
context token automatically? This way one can secure the username token also.

In previous threads (by Williams), a method to extact a public key from the
.snk file generated by the sn tool is described. This way, one does not need
certificates on the clients.

Maybe someone can shed light on why there is no API/ability to establish a
seesion like browsing to a HTTPS site with a browser does ? I find it an
amazing flaw. At least, an API that will get the public certificate from the
server would be nice so one does not have to worry about having clients to
install one.

Even with a certificate on a client, you can find several articles on how to
secure the Username token which is not entirely satisfactory. In this case,
one can send a fake UserName token to get the Security Context token. After
that, you can use Security Context token to secure the Username token.

> Hello,
>
[quoted text clipped - 12 lines]
> need to install the server certificate on the client? I don't have to do so
> for SSL, why this situation is different?
Reply to this Message
Sidd - 25 Mar 2005 08:18 GMT
In the Secure Conversation sample, the client needs the server's cert in
order to encrypt a part of the RST (RequestSecurityToken) message (the
message to the token issuer saying that i am requesting an SCT). This part
of the RST that it is encrypting is the client's entropy. Think of the
clients entropy as a clients random key. Now the STS takes this clients
entropy, generates a server's entropy and creates a key based from these two
entropy's. In the response message, the STS includes the server's entropy
which is encrypted with the clients entropy. When the client receives this,
it knows how to combine the its entropy (the clients entropy) with the
entropy it just received (the server's entropy) to create a session key
(which is the SCT's key) using the same algorithm the server did.

With regards to the sending a fake username to get an SCT. Welll, if this
were the case, then the entire SCT thing would be broken right ? :)

Typically the STS would have a policy that says "I only trust RST messages
to be signed with a Username token that have the username=Fred, or that are
in the role "Administrator". Without this policy, there is no way (except
for users writing code) to authorize and validate the message (the RST).

Hope this helps clarify things a little better?

Sidd [MSFT]

> The HTTPS/SSL session is established automatically by the browser when one
> browses to a HTTPS site. The client and server can now securely send and
[quoted text clipped - 38 lines]
> > need to install the server certificate on the client? I don't have to do so
> > for SSL, why this situation is different?
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.