WSS4J: Hybrid system (Symmetric and asymmetric cryptography)

[José Ferreiro <jo...@gmail.com>]

*Hello,*
**
Definitions:
Asymmetric cryptography: Form of cryptography in which a user has a pair of
cryptographic keys (a *public key* and a *private key*)
Symmetric cryptography:  Form of cryptography in which many user shared a
secret-key (*single key*)

*WSS4J works as follows for encryption*:

WSS4J generates a random session key (*single key*) for every new "session"
(SOAP message), encrypts the data using the *single key*.
The server's *public key* (usually contained in a X.509 certificate)
encrypts the *session key* and packs it into the relevant SOAP header
structure.

Is this correct?
Which is the default *symmetric* algorithm to encrypt the SOAP body data in
WSS4J? Is it aes128-cbc?
Which is the default *asymmetric* algorithm to encrypt the symmetric
key (*single
key*) in WSS4J? Is it RSA?


*WSS4J works as follows for signing*:

The client uses its *private key* to sign the SOAP body. The server uses the
client's public key to check the signature of the SOAP body content using a
cryptographic hash fuction.
The client's public key is usually contained in a signed certificate by a
Certificate Authority (such as Verisign)

Is this correct?
 Which is the default hash algorithm to sign the SOA body data in WSS4J? Is
it SHA-1?

Thank you in advance for your comments.

Jose Ferreiro

Re: WSS4J: Hybrid system (Symmetric and asymmetric cryptography)

[José Ferreiro <jo...@gmail.com>]

 Thank you for your reply Werner!

By the way, I found this interesting article explaining the *Mechanics of
WS-Security*.
Additionally it has some UML sequence diagrams corresponding to a *r**eal-world
WS-Security scenario*.

The link: http://www.ibm.com/developerworks/webservices/library/ws-best11/

Regards,



On 4/21/08, José Ferreiro <jo...@gmail.com> wrote:
>
> Thank you for your reply Werner!
>
> By the way, I found this interesting article explaining the *Mechanics of
> WS-Security*.
> Additionally it has some UML sequence diagrams corresponding to a *r**eal-world
> WS-Security scenario*.
>
> Regards,
>
> Jose Ferreiro
>
> On 4/21/08, Dittmann, Werner (NSN - DE/Muenich) <we...@nsn.com>
> wrote:
> >
> >  Jose,
> >
> > most of your question relate to the WS-Security specifications. Would
> > you be so
> > kind and refer to these specifications (OASIS Web Service Security). The
> > WSS4J
> > documentation (mostly Javadoc) and interop/demo programs give you some
> > more information how to use and deply WSS4J in Axis1 and Axis2
> > environments
> >
> > Best regards,
> > Werner
> >
> >
> >  ------------------------------
> >  *Von:* ext José Ferreiro [mailto:jose.ferreiro@gmail.com]
> > *Gesendet:* Montag, 21. April 2008 17:03
> > *An:* wss4j-dev@ws.apache.org; axis-user@ws.apache.org
> > *Betreff:* WSS4J: Hybrid system (Symmetric and asymmetric cryptography)
> >
> >
> >
> >  *Hello,*
> > **
> > Definitions:
> > Asymmetric cryptography: Form of cryptography in which a user has a pair
> > of cryptographic keys (a *public key* and a *private key*)
> > Symmetric cryptography:  Form of cryptography in which many user shared
> > a secret-key (*single key*)
> >
> > *WSS4J works as follows for encryption*:
> >
> > WSS4J generates a random session key (*single key*) for every new
> > "session" (SOAP message), encrypts the data using the *single key*.
> > The server's *public key* (usually contained in a X.509 certificate)
> > encrypts the *session key* and packs it into the relevant SOAP header
> > structure.
> >
> > Is this correct?
> > Which is the default *symmetric* algorithm to encrypt the SOAP body data
> > in WSS4J? Is it aes128-cbc?
> > Which is the default *asymmetric* algorithm to encrypt the symmetric key
> > (*single key*) in WSS4J? Is it RSA?
> >
> >
> > *WSS4J works as follows for signing*:
> >
> > The client uses its *private key* to sign the SOAP body. The server uses
> > the client's public key to check the signature of the SOAP body content
> > using a cryptographic hash fuction.
> > The client's public key is usually contained in a signed certificate by
> > a Certificate Authority (such as Verisign)
> >
> > Is this correct?
> >  Which is the default hash algorithm to sign the SOA body data in WSS4J?
> > Is it SHA-1?
> >
> > Thank you in advance for your comments.
> >
> > Jose Ferreiro
> >
> >
> >
> >
> >
> >
>
>
> --
> José Ferreiro
> EPFL Communication Systems engineer
> ing.sys.com.dipl.EPFL
>
> "Think little goals and expect little achievements. Think big goals and
> win big success."  David Joseph Schwartz




-- 
José Ferreiro
EPFL Communication Systems engineer
ing.sys.com.dipl.EPFL

"Think little goals and expect little achievements. Think big goals and win
big success."  David Joseph Schwartz

Re: WSS4J: Hybrid system (Symmetric and asymmetric cryptography)

[José Ferreiro <jo...@gmail.com>]

 Thank you for your reply Werner!

By the way, I found this interesting article explaining the *Mechanics of
WS-Security*.
Additionally it has some UML sequence diagrams corresponding to a *r**eal-world
WS-Security scenario*.

The link: http://www.ibm.com/developerworks/webservices/library/ws-best11/

Regards,



On 4/21/08, José Ferreiro <jo...@gmail.com> wrote:
>
> Thank you for your reply Werner!
>
> By the way, I found this interesting article explaining the *Mechanics of
> WS-Security*.
> Additionally it has some UML sequence diagrams corresponding to a *r**eal-world
> WS-Security scenario*.
>
> Regards,
>
> Jose Ferreiro
>
> On 4/21/08, Dittmann, Werner (NSN - DE/Muenich) <we...@nsn.com>
> wrote:
> >
> >  Jose,
> >
> > most of your question relate to the WS-Security specifications. Would
> > you be so
> > kind and refer to these specifications (OASIS Web Service Security). The
> > WSS4J
> > documentation (mostly Javadoc) and interop/demo programs give you some
> > more information how to use and deply WSS4J in Axis1 and Axis2
> > environments
> >
> > Best regards,
> > Werner
> >
> >
> >  ------------------------------
> >  *Von:* ext José Ferreiro [mailto:jose.ferreiro@gmail.com]
> > *Gesendet:* Montag, 21. April 2008 17:03
> > *An:* wss4j-dev@ws.apache.org; axis-user@ws.apache.org
> > *Betreff:* WSS4J: Hybrid system (Symmetric and asymmetric cryptography)
> >
> >
> >
> >  *Hello,*
> > **
> > Definitions:
> > Asymmetric cryptography: Form of cryptography in which a user has a pair
> > of cryptographic keys (a *public key* and a *private key*)
> > Symmetric cryptography:  Form of cryptography in which many user shared
> > a secret-key (*single key*)
> >
> > *WSS4J works as follows for encryption*:
> >
> > WSS4J generates a random session key (*single key*) for every new
> > "session" (SOAP message), encrypts the data using the *single key*.
> > The server's *public key* (usually contained in a X.509 certificate)
> > encrypts the *session key* and packs it into the relevant SOAP header
> > structure.
> >
> > Is this correct?
> > Which is the default *symmetric* algorithm to encrypt the SOAP body data
> > in WSS4J? Is it aes128-cbc?
> > Which is the default *asymmetric* algorithm to encrypt the symmetric key
> > (*single key*) in WSS4J? Is it RSA?
> >
> >
> > *WSS4J works as follows for signing*:
> >
> > The client uses its *private key* to sign the SOAP body. The server uses
> > the client's public key to check the signature of the SOAP body content
> > using a cryptographic hash fuction.
> > The client's public key is usually contained in a signed certificate by
> > a Certificate Authority (such as Verisign)
> >
> > Is this correct?
> >  Which is the default hash algorithm to sign the SOA body data in WSS4J?
> > Is it SHA-1?
> >
> > Thank you in advance for your comments.
> >
> > Jose Ferreiro
> >
> >
> >
> >
> >
> >
>
>
> --
> José Ferreiro
> EPFL Communication Systems engineer
> ing.sys.com.dipl.EPFL
>
> "Think little goals and expect little achievements. Think big goals and
> win big success."  David Joseph Schwartz




-- 
José Ferreiro
EPFL Communication Systems engineer
ing.sys.com.dipl.EPFL

"Think little goals and expect little achievements. Think big goals and win
big success."  David Joseph Schwartz

Re: WSS4J: Hybrid system (Symmetric and asymmetric cryptography)

[José Ferreiro <jo...@gmail.com>]

Thank you for your reply Werner!

By the way, I found this interesting article explaining the *Mechanics of
WS-Security*.
Additionally it has some UML sequence diagrams corresponding to a *r**eal-world
WS-Security scenario*.

Regards,

Jose Ferreiro

On 4/21/08, Dittmann, Werner (NSN - DE/Muenich) <we...@nsn.com>
wrote:
>
>  Jose,
>
> most of your question relate to the WS-Security specifications. Would you
> be so
> kind and refer to these specifications (OASIS Web Service Security). The
> WSS4J
> documentation (mostly Javadoc) and interop/demo programs give you some
> more information how to use and deply WSS4J in Axis1 and Axis2
> environments
>
> Best regards,
> Werner
>
>
>  ------------------------------
>  *Von:* ext José Ferreiro [mailto:jose.ferreiro@gmail.com]
> *Gesendet:* Montag, 21. April 2008 17:03
> *An:* wss4j-dev@ws.apache.org; axis-user@ws.apache.org
> *Betreff:* WSS4J: Hybrid system (Symmetric and asymmetric cryptography)
>
>
>
>  *Hello,*
> **
> Definitions:
> Asymmetric cryptography: Form of cryptography in which a user has a pair
> of cryptographic keys (a *public key* and a *private key*)
> Symmetric cryptography:  Form of cryptography in which many user shared a
> secret-key (*single key*)
>
> *WSS4J works as follows for encryption*:
>
> WSS4J generates a random session key (*single key*) for every new
> "session" (SOAP message), encrypts the data using the *single key*.
> The server's *public key* (usually contained in a X.509 certificate)
> encrypts the *session key* and packs it into the relevant SOAP header
> structure.
>
> Is this correct?
> Which is the default *symmetric* algorithm to encrypt the SOAP body data
> in WSS4J? Is it aes128-cbc?
> Which is the default *asymmetric* algorithm to encrypt the symmetric key (
> *single key*) in WSS4J? Is it RSA?
>
>
> *WSS4J works as follows for signing*:
>
> The client uses its *private key* to sign the SOAP body. The server uses
> the client's public key to check the signature of the SOAP body content
> using a cryptographic hash fuction.
> The client's public key is usually contained in a signed certificate by a
> Certificate Authority (such as Verisign)
>
> Is this correct?
>  Which is the default hash algorithm to sign the SOA body data in WSS4J?
> Is it SHA-1?
>
> Thank you in advance for your comments.
>
> Jose Ferreiro
>
>
>
>
>
>


-- 
José Ferreiro
EPFL Communication Systems engineer
ing.sys.com.dipl.EPFL

"Think little goals and expect little achievements. Think big goals and win
big success."  David Joseph Schwartz

Re: WSS4J: Hybrid system (Symmetric and asymmetric cryptography)

[José Ferreiro <jo...@gmail.com>]

Thank you for your reply Werner!

By the way, I found this interesting article explaining the *Mechanics of
WS-Security*.
Additionally it has some UML sequence diagrams corresponding to a *r**eal-world
WS-Security scenario*.

Regards,

Jose Ferreiro

On 4/21/08, Dittmann, Werner (NSN - DE/Muenich) <we...@nsn.com>
wrote:
>
>  Jose,
>
> most of your question relate to the WS-Security specifications. Would you
> be so
> kind and refer to these specifications (OASIS Web Service Security). The
> WSS4J
> documentation (mostly Javadoc) and interop/demo programs give you some
> more information how to use and deply WSS4J in Axis1 and Axis2
> environments
>
> Best regards,
> Werner
>
>
>  ------------------------------
>  *Von:* ext José Ferreiro [mailto:jose.ferreiro@gmail.com]
> *Gesendet:* Montag, 21. April 2008 17:03
> *An:* wss4j-dev@ws.apache.org; axis-user@ws.apache.org
> *Betreff:* WSS4J: Hybrid system (Symmetric and asymmetric cryptography)
>
>
>
>  *Hello,*
> **
> Definitions:
> Asymmetric cryptography: Form of cryptography in which a user has a pair
> of cryptographic keys (a *public key* and a *private key*)
> Symmetric cryptography:  Form of cryptography in which many user shared a
> secret-key (*single key*)
>
> *WSS4J works as follows for encryption*:
>
> WSS4J generates a random session key (*single key*) for every new
> "session" (SOAP message), encrypts the data using the *single key*.
> The server's *public key* (usually contained in a X.509 certificate)
> encrypts the *session key* and packs it into the relevant SOAP header
> structure.
>
> Is this correct?
> Which is the default *symmetric* algorithm to encrypt the SOAP body data
> in WSS4J? Is it aes128-cbc?
> Which is the default *asymmetric* algorithm to encrypt the symmetric key (
> *single key*) in WSS4J? Is it RSA?
>
>
> *WSS4J works as follows for signing*:
>
> The client uses its *private key* to sign the SOAP body. The server uses
> the client's public key to check the signature of the SOAP body content
> using a cryptographic hash fuction.
> The client's public key is usually contained in a signed certificate by a
> Certificate Authority (such as Verisign)
>
> Is this correct?
>  Which is the default hash algorithm to sign the SOA body data in WSS4J?
> Is it SHA-1?
>
> Thank you in advance for your comments.
>
> Jose Ferreiro
>
>
>
>
>
>


-- 
José Ferreiro
EPFL Communication Systems engineer
ing.sys.com.dipl.EPFL

"Think little goals and expect little achievements. Think big goals and win
big success."  David Joseph Schwartz

AW: WSS4J: Hybrid system (Symmetric and asymmetric cryptography)

["Dittmann, Werner (NSN - DE/Muenich)" <we...@nsn.com>]

Jose,
 
most of your question relate to the WS-Security specifications. Would you be so
kind and refer to these specifications (OASIS Web Service Security). The WSS4J
documentation (mostly Javadoc) and interop/demo programs give you some
more information how to use and deply WSS4J in Axis1 and Axis2 environments
 
Best regards,
Werner
 
 
________________________________

Von: ext José Ferreiro [mailto:jose.ferreiro@gmail.com] 
Gesendet: Montag, 21. April 2008 17:03
An: wss4j-dev@ws.apache.org; axis-user@ws.apache.org
Betreff: WSS4J: Hybrid system (Symmetric and asymmetric cryptography)



	Hello,
	 
	Definitions:
	Asymmetric cryptography: Form of cryptography in which a user has a pair of cryptographic keys (a public key and a private key)
	Symmetric cryptography:  Form of cryptography in which many user shared a secret-key (single key)
	 
	WSS4J works as follows for encryption:
	 
	WSS4J generates a random session key (single key) for every new "session" (SOAP message), encrypts the data using the single key.
	The server's public key (usually contained in a X.509 certificate) encrypts the session key and packs it into the relevant SOAP header structure.
	 
	Is this correct?
	Which is the default symmetric algorithm to encrypt the SOAP body data in WSS4J? Is it aes128-cbc?
	Which is the default asymmetric algorithm to encrypt the symmetric key (single key) in WSS4J? Is it RSA?
	 
	 
	WSS4J works as follows for signing:
	 
	The client uses its private key to sign the SOAP body. The server uses the client's public key to check the signature of the SOAP body content using a cryptographic hash fuction.
	The client's public key is usually contained in a signed certificate by a Certificate Authority (such as Verisign)
	 
	Is this correct?
	Which is the default hash algorithm to sign the SOA body data in WSS4J? Is it SHA-1?
	 
	Thank you in advance for your comments.
	 
	Jose Ferreiro