Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / March 2005

Tip: Looking for answers? Try searching our database.

Encrypt a UsernameToken Authenticated WSE Response

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
AndiRudi - 30 Mar 2005 20:15 GMT
Is there any other possibility than x509 to enrcypt a Response. Something
symmetic would be nice.
Reply to this Message
casey chesnut - 30 Mar 2005 21:07 GMT
you can encrypt with a UsernameToken too.
both the client and the server know the password,
so that is used to generate a key to encrypt with.

on the client Request you add something like this line:
serviceProxy.RequestSoapContext.Security.Elements.Add(new
EncryptedData(token));

the server Response adds something like this :
ResponseSoapContext.Current.Security.Tokens.Add(usernameToken);
  ResponseSoapContext.Current.Security.Elements.Add(new
MessageSignature(usernameToken));
  ResponseSoapContext.Current.Security.Elements.Add(new
EncryptedData(usernameToken));

Thanks,
casey
http://www.brains-N-brawn.com

> Is there any other possibility than x509 to enrcypt a Response. Something
> symmetic would be nice.
Reply to this Message
AndiRudi - 30 Mar 2005 22:31 GMT
Thanks,

meanwhile i tried the Examples in the WSE2 Documentation named "Encrypt (or
Decrypt) a SOAP Message by Using a Username and Password". I send my Password
hashed and also habe a working AuthenticateUser method overwritten und
registered in web.config. But when I start my Client Application and call my
HelloWorld() method i get an Exception... Mutable Security Token has to be
added into the tokens collection. I even have no Trace thats a big problem.
I've switched on the Trace in both projects and have set all Directory write
accesses but there are still no trace files.

Codes: (http://localhost/WSETest/service1.asmx and my client app is in
wwroot/wseclient)

client:
WSEClient.localhost.Service1Wse proxy = new localhost.Service1Wse();
UsernameToken userToken = new UsernameToken("Andreas",
"test",PasswordOption.SendHashed);
EncryptedData encrypt = new EncryptedData(userToken);
proxy.RequestSoapContext.Security.Elements.Add(encrypt);
proxy.RequestSoapContext.Security.Timestamp.TtlInSeconds = 300;
MessageBox.Show(proxy.HelloWorld());

clientpolicy:
<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
 <mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
   <endpoint uri="http://localhost/WSETests/Service1.asmx">
     <defaultOperation>
       <request policy="#policy-c0a22319-6b89-49ff-9b82-bdbac5f04618" />
       <response policy="" />
       <fault policy="" />
     </defaultOperation>
   </endpoint>
 </mappings>
 <policies
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   <wsp:Policy wsu:Id="policy-c0a22319-6b89-49ff-9b82-bdbac5f04618"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
     <wssp:Confidentiality wsp:Usage="wsp:Required"
xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext">
       <wssp:KeyInfo>
         <SecurityToken xmlns="http://schemas.xmlsoap.org/ws/2002/12/secext">
           
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1
.0#UsernameToken</wssp:TokenType>
           <wssp:Claims>
             <wssp:UsePassword Type="wssp:PasswordDigest"
wsp:Usage="wsp:Required" />
           </wssp:Claims>
         </SecurityToken>
       </wssp:KeyInfo>
       <wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
         wsp:Body()
       </wssp:MessageParts>
     </wssp:Confidentiality>
   </wsp:Policy>
 </policies>
</policyDocument>

service:
[WebMethod]
public string HelloWorld()
{
//Get the current soap context
SoapContext ctxt = RequestSoapContext.Current;
if (ctxt == null) {                            return "Please format the request as a SOAP
request and try again.";
}

//Iterate through all Security tokens
foreach(SecurityToken tok in ctxt.Security.Tokens){
if (tok is UsernameToken) {
UsernameToken user = (UsernameToken)tok;
return "Hello Authenticated user " + user.Username;
}
}
return "Hello Liar";
}

ServicePolicy:
<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
 <mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
   <endpoint uri="http://localhost/WSETests/Service1.asmx">
     <defaultOperation>
       <request policy="#policy-c0a22319-6b89-49ff-9b82-bdbac5f04618" />
       <response policy="" />
       <fault policy="" />
     </defaultOperation>
   </endpoint>
 </mappings>
 <policies
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   <wsp:Policy wsu:Id="policy-c0a22319-6b89-49ff-9b82-bdbac5f04618"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
     <wssp:Confidentiality wsp:Usage="wsp:Required"
xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext">
       <wssp:KeyInfo>
         <SecurityToken xmlns="http://schemas.xmlsoap.org/ws/2002/12/secext">
           
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1
.0#UsernameToken</wssp:TokenType>
           <wssp:Claims>
             <wssp:UsePassword Type="wssp:PasswordDigest"
wsp:Usage="wsp:Required" />
           </wssp:Claims>
         </SecurityToken>
       </wssp:KeyInfo>
       <wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
         wsp:Body()
       </wssp:MessageParts>
     </wssp:Confidentiality>
   </wsp:Policy>
 </policies>
</policyDocument>

Maybe you or anyone see's the failure.
Thanks, trying that for 3 days now...

> you can encrypt with a UsernameToken too.
> both the client and the server know the password,
[quoted text clipped - 17 lines]
> > Is there any other possibility than x509 to enrcypt a Response. Something
> > symmetic would be nice.
Reply to this Message
AndiRudi - 30 Mar 2005 22:55 GMT
OK i got it :) Will make an articel about that soon

> Thanks,
>
[quoted text clipped - 139 lines]
> > > Is there any other possibility than x509 to enrcypt a Response. Something
> > > symmetic would be nice.
Reply to this Message
AndiRudi - 31 Mar 2005 00:05 GMT
One additional question:

how is the data secured now? I think that the key is a kombination from
username and passwort und the data is symmetric encrypted, but then a hacker
can read that values and decrypt it?

> OK i got it :) Will make an articel about that soon
>
[quoted text clipped - 141 lines]
> > > > Is there any other possibility than x509 to enrcypt a Response. Something
> > > > symmetic would be nice.
Reply to this Message
casey chesnut - 31 Mar 2005 00:41 GMT
the key is derived with a P_SHA1 algorithm.
using the password, the label WS-Security, the nonce, and created date.
P_SHA1 can generate keys of different lengths,
so it could do TripleDES or AES128.

so as long as you are passing a password digest,
then a hacker cannot generate that key without knowing the password.
that password should already be a shared secret between the client and
server,
and is just used to generate the session key to encrypt.
the session key will be different each time because of the nonce and date.

Thanks,
casey
http://www.brains-N-brawn.com

> One additional question:
>
[quoted text clipped - 163 lines]
>> > > > Something
>> > > > symmetic would be nice.
Reply to this Message
William Stacey [MVP] - 31 Mar 2005 03:36 GMT
You can dictionary attack the pw digest pretty easy in the UT to get the pw.
Once you have the pw, you can generate the symmetric key as all needed info
is in the message.   I blogged some code on doing this at:
http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!178.entry

Signature

William Stacey, MVP
http://mvp.support.microsoft.com

> the key is derived with a P_SHA1 algorithm.
> using the password, the label WS-Security, the nonce, and created date.
[quoted text clipped - 66 lines]
> >> >   </mappings>
> >> >   <policies

xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd">
> >> >     <wsp:Policy wsu:Id="policy-c0a22319-6b89-49ff-9b82-bdbac5f04618"
> >> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
[quoted text clipped - 4 lines]
> >> >           <SecurityToken
> >> > xmlns="http://schemas.xmlsoap.org/ws/2002/12/secext">

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-user
name-token-profile-1.0#UsernameToken</wssp:TokenType>
> >> >             <wssp:Claims>
> >> >               <wssp:UsePassword Type="wssp:PasswordDigest"
[quoted text clipped - 47 lines]
> >> >   </mappings>
> >> >   <policies

xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd">
> >> >     <wsp:Policy wsu:Id="policy-c0a22319-6b89-49ff-9b82-bdbac5f04618"
> >> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
[quoted text clipped - 4 lines]
> >> >           <SecurityToken
> >> > xmlns="http://schemas.xmlsoap.org/ws/2002/12/secext">

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-user
name-token-profile-1.0#UsernameToken</wssp:TokenType>
> >> >             <wssp:Claims>
> >> >               <wssp:UsePassword Type="wssp:PasswordDigest"
[quoted text clipped - 36 lines]
> >> > > > Something
> >> > > > symmetic would be nice.
Reply to this Message
casey chesnut - 31 Mar 2005 05:44 GMT
if the password is a word in the dictionary, then its definitely simple.
all you do is run through the 200K to 400K words used in a language.
so make the password a non dictionary word, or better yet a passphrase.
you can also make is stronger by prepending SALT.
you should be using SALT server side anyways.
of course all that can be beaten, but its not exactly easy.
it depends on how secure you need to be,
e.g. do you need to keep the NSA out.

or you could use x509 as your blog says,
and mess around with key management.

casey
http://www.brains-N-brawn.com

> You can dictionary attack the pw digest pretty easy in the UT to get the
> pw.
[quoted text clipped - 200 lines]
>> >> > > > Something
>> >> > > > symmetic would be nice.
Reply to this Message
William Stacey [MVP] - 31 Mar 2005 10:43 GMT
> if the password is a word in the dictionary, then its definitely simple.
> all you do is run through the 200K to 400K words used in a language.
> so make the password a non dictionary word, or better yet a passphrase.

That is generally good.  However, my home P4 2.4Ghz computer can test about
1 million passwords (dict or hybred) per minute.  So even passwords like
"sunshine;12" will be cracked in short order.  Passphrases are more work,
but could still get many of those with more time.  Totally random passwords
are probably the best against this attack.  However, in the real world,
neither is widely used by users as they forget those passwords and regress
back to something they can remember (normally some dict word with just
enouph digits appended or prepended to pass the password policy.)

> you can also make is stronger by prepending SALT.
> you should be using SALT server side anyways.
> of course all that can be beaten, but its not exactly easy.

Salt does not add much to the wire security - only the server db security.
That is because normally salt is sent to the client in clear text so it is
known.  If the client gets the salt via some encryption, then we are back to
how to get a secure session.  And if we already had one, the client does not
need the salt.

> or you could use x509 as your blog says,
> and mess around with key management.

x509 or just your own RSA keys that does not require certs.  I blogged a SCT
solution using just strong name public key on client side to get a SCT.

Signature

William Stacey, MVP
http://mvp.support.microsoft.com

Reply to this Message
casey chesnut - 31 Mar 2005 16:27 GMT
lets use your example : sunshine;12
so a word, a special character, and a number
lets assume that it is not case sensitive
(to make it significantly easier)
and that the order is always word, character, number
(to make it significantly easier)
sunshine is a common word that will be in a 200K word dictionary
so lets make the search space
200K words * 10 special characters * 100 digits
= 200000000
so your program could find it in 200 minutes (worst case)

now lets take a passphrase of just 2 words
200K * 200K
40000000000 search space
that would take you about a month (worst case)

add another word, case sensitivity, or a number,
and it becomes significantly harder.

which can be beaten by more powerful computers,
and parallel computing.

i use SALT on the client side too (sent as plain text),
to avoid a direct DB lookup of the hash value,
to force the cracker to do the brute force search.
(although UsernameToken has nonce built in)

key management does not require a cert.
with or without a cert, you still have to manage the pub/pri keys.
and most people cant manage their passwords.

it depends on how secure you need to be,
but i definitely think passwords (particularly pass phrases) have their
place.

Thanks,
casey
http://www.brains-N-brawn.com

>> if the password is a word in the dictionary, then its definitely simple.
>> all you do is run through the 200K to 400K words used in a language.
[quoted text clipped - 29 lines]
> SCT
> solution using just strong name public key on client side to get a SCT.
Reply to this Message
William Stacey [MVP] - 31 Mar 2005 17:14 GMT
> key management does not require a cert.
> with or without a cert, you still have to manage the pub/pri keys.
> and most people cant manage their passwords.

Agreed.  But if you sign your assem, you already have a public key at the
client and the server has the private key (or could have.)  Naturally,
securing that private key requires special attention.   But with a little
extra work, you can get much better security IMO.

> it depends on how secure you need to be,
> but i definitely think passwords (particularly pass phrases) have their
> place.

Agree.  Thanks for discussion Casey.

Signature

William Stacey, MVP
http://mvp.support.microsoft.com

Reply to this Message

 Rate this thread:







Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.