Juan, Chu many thanks for your responses. Do you know how to fix in WSS4J the key and the initialization vector (IV)? This way I could repeat the calls with the same payload, in order to test the PHP - WSS4J interoperability. WSS4J depends on Apache XmlSec and javax.crypto, and I have not seen the way to do that. Regards, /Enric
--- "Da Cruz Pinto, Juan M" <[EMAIL PROTECTED]> escribió: > Hi Enric, > > Regarding the EncryptedKey, it will always be > different, because it's randomly generated each > time, unless you specify a fixed symmetric key > (shared secret). I'm not an expert on WSS4J, but the > normal procedure is (somebody please correct me if > I'm wrong): > - Generate a random key [K] (to be used for > symmetric encryption) > - RSA-Encrypt the random key (pub-key cryptography). > This will be stored in the EncryptedKey Element in > the security header. > - [DES/AES]-Encrypt the real data with [K] > (symmetric key cryptography). This will be stored in > the EncryptedData element, which will replace the > real data. > > So, normally, I would expect to have a different > EncryptedKey each time, and as a consequence the > EncryptedData will be different too. The only way to > have a fixed key is to use a pre-shared secret. > > Regards, > Marcelo. > > > -----Original Message----- > From: Enric Jaen [mailto:[EMAIL PROTECTED] > Sent: Wednesday, May 30, 2007 08:41 > To: [email protected] > Subject: RE: AES - newbie question > > Thanks a lot for the response, Chang. > > I was refering more to the data encrypted in the > payload of a SOAP message (thereby the AES in the > title), although I have noticed that the > encryptedKey > is also different each time. > > The reason efectively seems that is what you said: > random numbers. > > Respect to the payload, after looking at the source > code, seems that the JDK class javax.crypto.Chipher > generates a random IV. I don't know if there is a > way > to generate a fixed IV. > > Respect to the encryptedKey, seems that is the > padding > > what is generated randomly. > > I have read that this is so for security reasons, > which makes sense in a general case. > > The problem of all that is that WSS4J doesn't > decrypt > well the payload encrypted with the PHP's mcrypt > funcions, and I am trying to find the reason. > > Best regards, > > /Enric > > > > > --- CHANG Shuh <[EMAIL PROTECTED]> escribió: > > > It's hard to say without knowing more about your > > scenario. However, there might be some clues for > > that. For example, in UsernameToken, there are two > > possible factors that could affect the outcome of > > the password digest (which may or may not be > related > > to what you were referring to as encrypted data): > > random number (nonce) and timestamp (created). > Each > > time you make a call, you would get a different > > nonce and timestamp, and therefore different > > password digest even though you use the same > > password each time... > > > > Regards, > > Shuh > > > > > > > -----Original Message----- > > > From: Enric Jaen [mailto:[EMAIL PROTECTED] > > > Sent: Monday, May 28, 2007 9:37 AM > > > To: [email protected] > > > Subject: RV: AES - newbie question > > > > > > Sorry, just to clarify that this issue is > > happening with WSS4J. > > > /Enric > > > > > > > > > --- Enric Jaen <[EMAIL PROTECTED]> escribió: > > > > > > > Fecha: Mon, 28 May 2007 09:31:19 +0200 (CEST) > > > > De: Enric Jaen <[EMAIL PROTECTED]> > > > > Asunto: AES - newbie question > > > > Para: [email protected] > > > > > > > > > > > > Hi, I am quite newbie about security and I > have > > a simple question: > > > > > > > > When encrypting the data I am forcing the same > > key, but I > > > have noticed > > > > that the encrypted data is different in each > > call. Shouldn't it be > > > > always the same? > > > > > > > > Thanks for any explanation, > > > > > > > > /Enric > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ______________________________________________________________ > > > ______________________ > > > > ¡Descubre una nueva forma de obtener > respuestas > > a tus preguntas! > > > > Entra en Yahoo! Respuestas. > > > > http://es.answers.yahoo.com/info/welcome > > > > > > > > > > > > > > > > > > > ______________________________________________ > > > LLama Gratis a cualquier PC del Mundo. > > > Llamadas a fijos y móviles desde 1 céntimo por > > minuto. > > > http://es.voice.yahoo.com > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: > > [EMAIL PROTECTED] > > > For additional commands, e-mail: > > [EMAIL PROTECTED] > > > > > > > > > > > > > ______________________________________________ > LLama Gratis a cualquier PC del Mundo. > Llamadas a fijos y móviles desde 1 céntimo por > minuto. > http://es.voice.yahoo.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > ______________________________________________ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
