Blog Home  Sign In RSS 2.0 Atom 1.0 CDF  

  def Softwaremaker() :
         return "William Tay", "<Challenging Conventions />"

  knownType_Serialize, about = Softwaremaker()
 

Archive
<May 2013>
SunMonTueWedThuFriSat
2829301234
567891011
12131415161718
19202122232425
2627282930311
2345678

Previous Blog | Current Blog
July, 2012 (1)
March, 2012 (1)
November, 2011 (1)
September, 2011 (1)
August, 2011 (1)
June, 2011 (1)
April, 2011 (2)
March, 2011 (2)
December, 2010 (3)
May, 2010 (3)
January, 2010 (1)
December, 2009 (1)
November, 2009 (2)
October, 2009 (1)
September, 2009 (1)
August, 2009 (1)
May, 2009 (2)
April, 2009 (2)
January, 2009 (2)
October, 2008 (1)
June, 2008 (1)
May, 2008 (1)
April, 2008 (3)
February, 2008 (6)
January, 2008 (2)
December, 2007 (1)
November, 2007 (2)
October, 2007 (3)
September, 2007 (3)
August, 2007 (6)
July, 2007 (1)
June, 2007 (2)
May, 2007 (6)
April, 2007 (2)
March, 2007 (3)
February, 2007 (5)
January, 2007 (4)
December, 2006 (2)
November, 2006 (2)
October, 2006 (5)
September, 2006 (15)
August, 2006 (6)
July, 2006 (3)
June, 2006 (5)
May, 2006 (7)
April, 2006 (2)
March, 2006 (9)
February, 2006 (6)
January, 2006 (13)
December, 2005 (4)
November, 2005 (10)
October, 2005 (12)
September, 2005 (15)
August, 2005 (8)
July, 2005 (13)
June, 2005 (13)
May, 2005 (7)
April, 2005 (12)
March, 2005 (17)
February, 2005 (20)
January, 2005 (19)
December, 2004 (19)
November, 2004 (27)
October, 2004 (15)
On this page
More on WS-Security 1.1 with WSE 3.0
Categories
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Navigation Links
Home
Site Home
Site Geographical Location
.NET Architecture Center - MSDN
IBM Redbooks
MSDN Web Services Center
Web Services Enchancements - MSDN
Web Services Interoperability - MSDN
Advanced Web Services - MSDN
DemoServers - MSDN Virtual Labs
WCF - Microsoft Technical Forums
WCF - Documentation
Plumbwork Orange
Pattern Share
GDN Workspaces
GDN CodeGallery Projects
WebServices.xml.com
MVP.XML Project
International Association of Software Architects
WSE FAQs
SSDL
MSDN Magazine
Web Services Journal (.NET J2EE XML)
www.choreology.com
Domain Specific Language Tools (VSTS 2005)
BabelFish at AltaVista
Mandarin Tools
My Aggregated RSS News Feeds
Berkeley Tech-Style Puzzles
Aggregated View of my articles
Softwaremaker Radio Blog
Affiliations
Contact
Email
Short Message Service (SMS)
Skype
Translations

Powered by: newtelligence dasBlog 1.9.6264.0

DasBlog 'Portal' theme

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

© Copyright 2013, William T 
 Thursday, January 12, 2006
« WSE 3.0 (WS-Security 1.1) Digital Signat... | Main | Looks like I have more MSN Live Messenger Invites ... »
More on WS-Security 1.1 with WSE 3.0

With regards to my post here, I thought I expand on one of many enhancements that WS-Security Specifications 1.1 brings.

"MutualCertificate11Security" assertion is one of the few security turnkey assertions in Web Services Enhancements (WSE) 3.0 and what basically it is is that the client and server are authenticated using X.509 certificates (X509SecurityToken). Message-level security is implemented using X509SecurityToken security tokens. This turnkey security assertion requires WS-Security 1.1

Once that is configured and implemented properly, it is rather interesting to see what transcends on the wire. Here is a brief snippet:

[wsse:Security soap:mustUnderstand="1"]
...
[wsse:BinarySecurityToken ValueType="...oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="...wss-soap-message-security-1.0#Base64Binary" wsu:Id="SecurityToken-76ae..."]MIIBvD...[/wsse:BinarySecurityToken]

[xenc:EncryptedKey Id="SecurityToken-6ec8..." xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"]
[xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"]
[ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /]
[/xenc:EncryptionMethod]
[KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"]
[wsse:SecurityTokenReference]
[wsse:KeyIdentifier ValueType="...oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="...oasis-200401-wss-soap-message-security-1.0#Base64Binary"]qRTA40Xfk6w1Os3mgpgy8UgwR/Y=[/wsse:KeyIdentifier]
[/wsse:SecurityTokenReference]
[/KeyInfo]
[xenc:CipherData]
[xenc:CipherValue]hBfCfVmg...[/xenc:CipherValue]
[/xenc:CipherData]
[xenc:ReferenceList]
...
[/xenc:ReferenceList]
[/xenc:EncryptedKey]

[Signature Id="Sig-b679..." xmlns="http://www.w3.org/2000/09/xmldsig#"]
  [SignedInfo]
  [ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" /]
  [SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" /]
  [Reference URI="#Id-5cdc..."]
  ...
  [/Reference]
  [/SignedInfo]
  [SignatureValue]O/PdsVMS4PTIBtrx8eyFNzbTnjc=[/SignatureValue]
  [KeyInfo]
  [wsse:SecurityTokenReference]
  [wsse:Reference URI="#SecurityToken-6ec8..." ValueType="...oasis-wss-soap-message-security-1.1#EncryptedKey" /]
  [/wsse:SecurityTokenReference]
  [/KeyInfo]
[/Signature]

[Signature xmlns="http://www.w3.org/2000/09/xmldsig#"]
  [SignedInfo]
  [ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" /]
  [SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /]
  [Reference URI="#Sig-b679..."]
  ...
  [/Reference]
  [/SignedInfo]
  [SignatureValue]PDm4wS+3hzmXugHL1wcTWZXHcaGKkODVHU48XvVNC6catxiOr25
xq9AGN8u8CgYo1JlnoEf2tuCUl86krKiUBSnMR/towfAs2doGg6a+vtjIl9F54c/VZtTPgwn
QdZtJ28E8+ep5MIS2i+9Tamnui6qpX16IS3J1FcMjVBHQpMs=
[/SignatureValue]
  [KeyInfo]
  [wsse:SecurityTokenReference]
  [wsse:Reference URI="#SecurityToken-76ae..." ValueType="...wss-x509-token-profile-1.0#X509v3" /]
  [/wsse:SecurityTokenReference]
  [/KeyInfo]
[/Signature]
...


One thing that you will noticed is that there are 2 Digital Signatures generated.

The first one has a ReferenceID, which hints that it will be subject to encryption/signatures later on, and it is signed by a EncryptedKey type (which I talked about in my earlier post). Because it is encrypted by a symmetric key "#SecurityToken-6ec8", the [SignatureValue] is rather short and this signature basically signs the soap:Body with an URI of "#Id-5cdc..." The [EncryptedKey] value can be decrypted and derived by the server's private key

The second signature basically signs the first signature (#Sig-b679...) and it signs it with the Client's Private Key that only the corresponding Public Key Pair can decrypt. The Public Key, together with the client's cert is sent over the wire via a [wsse:BinarySecurityToken] (#SecurityToken-76ae...). Because an asymmetric key is utilized here, the [SignatureValue] is relatively longer than the first signature.

As we can see from here, the first signature signs the soap:Body and the second signature signs the first signature. These are generally known as "Supporting Tokens". These additional tokens may be specified to augment the claims provided by the token associated with the “message signature” provided by the Security Binding. Supporting tokens may be specified at a different scope than the binding assertion which provides support for securing the exchange.

There are four properties related to supporting token requirements which may be referenced by a Security Binding: [Supporting Tokens], [Signed Supporting Tokens], [Endorsing Supporting Tokens] and [Signed Endorsing Supporting Tokens]. Four assertions are then defined to populate those properties: SupportingTokens, SignedSupportingTokens, EndorsingSupportingTokens, and SignedEndorsingSupportingTokens.

What I have shown above is known as the [EndorsingSupportingTokens].

The [SignedEndorsingSupportingTokens] is a combination of [SignedSupportingToken] and [EndorsingSupportingToken] and I will talk about that in a future post.

 |  | 
Wednesday, January 11, 2006 5:06:42 PM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

    		•