Re: WSS4J: Hybrid system (Symmetric and asymmetric cryptography)
Thank you for your reply Werner! By the way, I found this interesting article explaining the *Mechanics of WS-Security*. Additionally it has some UML sequence diagrams corresponding to a *r**eal-world WS-Security scenario*. The link: http://www.ibm.com/developerworks/webservices/library/ws-best11/ Regards, On 4/21/08, José Ferreiro <[EMAIL PROTECTED]> wrote: > > Thank you for your reply Werner! > > By the way, I found this interesting article explaining the *Mechanics of > WS-Security*. > Additionally it has some UML sequence diagrams corresponding to a > *r**eal-world > WS-Security scenario*. > > Regards, > > Jose Ferreiro > > On 4/21/08, Dittmann, Werner (NSN - DE/Muenich) <[EMAIL PROTECTED]> > wrote: > > > > Jose, > > > > most of your question relate to the WS-Security specifications. Would > > you be so > > kind and refer to these specifications (OASIS Web Service Security). The > > WSS4J > > documentation (mostly Javadoc) and interop/demo programs give you some > > more information how to use and deply WSS4J in Axis1 and Axis2 > > environments > > > > Best regards, > > Werner > > > > > > -- > > *Von:* ext José Ferreiro [mailto:[EMAIL PROTECTED] > > *Gesendet:* Montag, 21. April 2008 17:03 > > *An:* [EMAIL PROTECTED]; axis-user@ws.apache.org > > *Betreff:* WSS4J: Hybrid system (Symmetric and asymmetric cryptography) > > > > > > > > *Hello,* > > ** > > Definitions: > > Asymmetric cryptography: Form of cryptography in which a user has a pair > > of cryptographic keys (a *public key* and a *private key*) > > Symmetric cryptography: Form of cryptography in which many user shared > > a secret-key (*single key*) > > > > *WSS4J works as follows for encryption*: > > > > WSS4J generates a random session key (*single key*) for every new > > "session" (SOAP message), encrypts the data using the *single key*. > > The server's *public key* (usually contained in a X.509 certificate) > > encrypts the *session key* and packs it into the relevant SOAP header > > structure. > > > > Is this correct? > > Which is the default *symmetric* algorithm to encrypt the SOAP body data > > in WSS4J? Is it aes128-cbc? > > Which is the default *asymmetric* algorithm to encrypt the symmetric key > > (*single key*) in WSS4J? Is it RSA? > > > > > > *WSS4J works as follows for signing*: > > > > The client uses its *private key* to sign the SOAP body. The server uses > > the client's public key to check the signature of the SOAP body content > > using a cryptographic hash fuction. > > The client's public key is usually contained in a signed certificate by > > a Certificate Authority (such as Verisign) > > > > Is this correct? > > Which is the default hash algorithm to sign the SOA body data in WSS4J? > > Is it SHA-1? > > > > Thank you in advance for your comments. > > > > Jose Ferreiro > > > > > > > > > > > > > > > -- > José Ferreiro > EPFL Communication Systems engineer > ing.sys.com.dipl.EPFL > > "Think little goals and expect little achievements. Think big goals and > win big success." David Joseph Schwartz -- José Ferreiro EPFL Communication Systems engineer ing.sys.com.dipl.EPFL "Think little goals and expect little achievements. Think big goals and win big success." David Joseph Schwartz
Re: WSS4J: Hybrid system (Symmetric and asymmetric cryptography)
Thank you for your reply Werner! By the way, I found this interesting article explaining the *Mechanics of WS-Security*. Additionally it has some UML sequence diagrams corresponding to a *r**eal-world WS-Security scenario*. Regards, Jose Ferreiro On 4/21/08, Dittmann, Werner (NSN - DE/Muenich) <[EMAIL PROTECTED]> wrote: > > Jose, > > most of your question relate to the WS-Security specifications. Would you > be so > kind and refer to these specifications (OASIS Web Service Security). The > WSS4J > documentation (mostly Javadoc) and interop/demo programs give you some > more information how to use and deply WSS4J in Axis1 and Axis2 > environments > > Best regards, > Werner > > > -- > *Von:* ext José Ferreiro [mailto:[EMAIL PROTECTED] > *Gesendet:* Montag, 21. April 2008 17:03 > *An:* [EMAIL PROTECTED]; axis-user@ws.apache.org > *Betreff:* WSS4J: Hybrid system (Symmetric and asymmetric cryptography) > > > > *Hello,* > ** > Definitions: > Asymmetric cryptography: Form of cryptography in which a user has a pair > of cryptographic keys (a *public key* and a *private key*) > Symmetric cryptography: Form of cryptography in which many user shared a > secret-key (*single key*) > > *WSS4J works as follows for encryption*: > > WSS4J generates a random session key (*single key*) for every new > "session" (SOAP message), encrypts the data using the *single key*. > The server's *public key* (usually contained in a X.509 certificate) > encrypts the *session key* and packs it into the relevant SOAP header > structure. > > Is this correct? > Which is the default *symmetric* algorithm to encrypt the SOAP body data > in WSS4J? Is it aes128-cbc? > Which is the default *asymmetric* algorithm to encrypt the symmetric key ( > *single key*) in WSS4J? Is it RSA? > > > *WSS4J works as follows for signing*: > > The client uses its *private key* to sign the SOAP body. The server uses > the client's public key to check the signature of the SOAP body content > using a cryptographic hash fuction. > The client's public key is usually contained in a signed certificate by a > Certificate Authority (such as Verisign) > > Is this correct? > Which is the default hash algorithm to sign the SOA body data in WSS4J? > Is it SHA-1? > > Thank you in advance for your comments. > > Jose Ferreiro > > > > > > -- José Ferreiro EPFL Communication Systems engineer ing.sys.com.dipl.EPFL "Think little goals and expect little achievements. Think big goals and win big success." David Joseph Schwartz
WSS4J: Hybrid system (Symmetric and asymmetric cryptography)
*Hello,* ** Definitions: Asymmetric cryptography: Form of cryptography in which a user has a pair of cryptographic keys (a *public key* and a *private key*) Symmetric cryptography: Form of cryptography in which many user shared a secret-key (*single key*) *WSS4J works as follows for encryption*: WSS4J generates a random session key (*single key*) for every new "session" (SOAP message), encrypts the data using the *single key*. The server's *public key* (usually contained in a X.509 certificate) encrypts the *session key* and packs it into the relevant SOAP header structure. Is this correct? Which is the default *symmetric* algorithm to encrypt the SOAP body data in WSS4J? Is it aes128-cbc? Which is the default *asymmetric* algorithm to encrypt the symmetric key (*single key*) in WSS4J? Is it RSA? *WSS4J works as follows for signing*: The client uses its *private key* to sign the SOAP body. The server uses the client's public key to check the signature of the SOAP body content using a cryptographic hash fuction. The client's public key is usually contained in a signed certificate by a Certificate Authority (such as Verisign) Is this correct? Which is the default hash algorithm to sign the SOA body data in WSS4J? Is it SHA-1? Thank you in advance for your comments. Jose Ferreiro
