Thank you for your reply Werner! By the way, I found this interesting article explaining the *Mechanics of WS-Security*. Additionally it has some UML sequence diagrams corresponding to a *r**eal-world WS-Security scenario*.
Regards, Jose Ferreiro On 4/21/08, Dittmann, Werner (NSN - DE/Muenich) <[EMAIL PROTECTED]> wrote: > > Jose, > > most of your question relate to the WS-Security specifications. Would you > be so > kind and refer to these specifications (OASIS Web Service Security). The > WSS4J > documentation (mostly Javadoc) and interop/demo programs give you some > more information how to use and deply WSS4J in Axis1 and Axis2 > environments > > Best regards, > Werner > > > ------------------------------ > *Von:* ext José Ferreiro [mailto:[EMAIL PROTECTED] > *Gesendet:* Montag, 21. April 2008 17:03 > *An:* [EMAIL PROTECTED]; axis-user@ws.apache.org > *Betreff:* WSS4J: Hybrid system (Symmetric and asymmetric cryptography) > > > > *Hello,* > ** > Definitions: > Asymmetric cryptography: Form of cryptography in which a user has a pair > of cryptographic keys (a *public key* and a *private key*) > Symmetric cryptography: Form of cryptography in which many user shared a > secret-key (*single key*) > > *WSS4J works as follows for encryption*: > > WSS4J generates a random session key (*single key*) for every new > "session" (SOAP message), encrypts the data using the *single key*. > The server's *public key* (usually contained in a X.509 certificate) > encrypts the *session key* and packs it into the relevant SOAP header > structure. > > Is this correct? > Which is the default *symmetric* algorithm to encrypt the SOAP body data > in WSS4J? Is it aes128-cbc? > Which is the default *asymmetric* algorithm to encrypt the symmetric key ( > *single key*) in WSS4J? Is it RSA? > > > *WSS4J works as follows for signing*: > > The client uses its *private key* to sign the SOAP body. The server uses > the client's public key to check the signature of the SOAP body content > using a cryptographic hash fuction. > The client's public key is usually contained in a signed certificate by a > Certificate Authority (such as Verisign) > > Is this correct? > Which is the default hash algorithm to sign the SOA body data in WSS4J? > Is it SHA-1? > > Thank you in advance for your comments. > > Jose Ferreiro > > > > > > -- José Ferreiro EPFL Communication Systems engineer ing.sys.com.dipl.EPFL "Think little goals and expect little achievements. Think big goals and win big success." David Joseph Schwartz
