Jose, most of your question relate to the WS-Security specifications. Would you be so kind and refer to these specifications (OASIS Web Service Security). The WSS4J documentation (mostly Javadoc) and interop/demo programs give you some more information how to use and deply WSS4J in Axis1 and Axis2 environments Best regards, Werner ________________________________
Von: ext José Ferreiro [mailto:[EMAIL PROTECTED] Gesendet: Montag, 21. April 2008 17:03 An: [email protected]; [EMAIL PROTECTED] Betreff: WSS4J: Hybrid system (Symmetric and asymmetric cryptography) Hello, Definitions: Asymmetric cryptography: Form of cryptography in which a user has a pair of cryptographic keys (a public key and a private key) Symmetric cryptography: Form of cryptography in which many user shared a secret-key (single key) WSS4J works as follows for encryption: WSS4J generates a random session key (single key) for every new "session" (SOAP message), encrypts the data using the single key. The server's public key (usually contained in a X.509 certificate) encrypts the session key and packs it into the relevant SOAP header structure. Is this correct? Which is the default symmetric algorithm to encrypt the SOAP body data in WSS4J? Is it aes128-cbc? Which is the default asymmetric algorithm to encrypt the symmetric key (single key) in WSS4J? Is it RSA? WSS4J works as follows for signing: The client uses its private key to sign the SOAP body. The server uses the client's public key to check the signature of the SOAP body content using a cryptographic hash fuction. The client's public key is usually contained in a signed certificate by a Certificate Authority (such as Verisign) Is this correct? Which is the default hash algorithm to sign the SOA body data in WSS4J? Is it SHA-1? Thank you in advance for your comments. Jose Ferreiro
