You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by Enric Jaen <en...@yahoo.es> on 2007/05/31 16:16:49 UTC
RE: AES - newbie question - how to fix key & IV
Juan, Chu many thanks for your responses.
Do you know how to fix in WSS4J the key and the
initialization vector (IV)? This way I could repeat
the calls with the same payload, in order to test the
PHP - WSS4J interoperability. WSS4J depends on Apache
XmlSec and javax.crypto, and I have not seen the way
to do that.
Regards,
/Enric
--- "Da Cruz Pinto, Juan M"
<ju...@intel.com> escribió:
> Hi Enric,
>
> Regarding the EncryptedKey, it will always be
> different, because it's randomly generated each
> time, unless you specify a fixed symmetric key
> (shared secret). I'm not an expert on WSS4J, but the
> normal procedure is (somebody please correct me if
> I'm wrong):
> - Generate a random key [K] (to be used for
> symmetric encryption)
> - RSA-Encrypt the random key (pub-key cryptography).
> This will be stored in the EncryptedKey Element in
> the security header.
> - [DES/AES]-Encrypt the real data with [K]
> (symmetric key cryptography). This will be stored in
> the EncryptedData element, which will replace the
> real data.
>
> So, normally, I would expect to have a different
> EncryptedKey each time, and as a consequence the
> EncryptedData will be different too. The only way to
> have a fixed key is to use a pre-shared secret.
>
> Regards,
> Marcelo.
>
>
> -----Original Message-----
> From: Enric Jaen [mailto:enricjaen@yahoo.es]
> Sent: Wednesday, May 30, 2007 08:41
> To: wss4j-dev@ws.apache.org
> Subject: RE: AES - newbie question
>
> Thanks a lot for the response, Chang.
>
> I was refering more to the data encrypted in the
> payload of a SOAP message (thereby the AES in the
> title), although I have noticed that the
> encryptedKey
> is also different each time.
>
> The reason efectively seems that is what you said:
> random numbers.
>
> Respect to the payload, after looking at the source
> code, seems that the JDK class javax.crypto.Chipher
> generates a random IV. I don't know if there is a
> way
> to generate a fixed IV.
>
> Respect to the encryptedKey, seems that is the
> padding
>
> what is generated randomly.
>
> I have read that this is so for security reasons,
> which makes sense in a general case.
>
> The problem of all that is that WSS4J doesn't
> decrypt
> well the payload encrypted with the PHP's mcrypt
> funcions, and I am trying to find the reason.
>
> Best regards,
>
> /Enric
>
>
>
>
> --- CHANG Shuh <sh...@gemalto.com> escribió:
>
> > It's hard to say without knowing more about your
> > scenario. However, there might be some clues for
> > that. For example, in UsernameToken, there are two
> > possible factors that could affect the outcome of
> > the password digest (which may or may not be
> related
> > to what you were referring to as encrypted data):
> > random number (nonce) and timestamp (created).
> Each
> > time you make a call, you would get a different
> > nonce and timestamp, and therefore different
> > password digest even though you use the same
> > password each time...
> >
> > Regards,
> > Shuh
> >
> >
> > > -----Original Message-----
> > > From: Enric Jaen [mailto:enricjaen@yahoo.es]
> > > Sent: Monday, May 28, 2007 9:37 AM
> > > To: wss4j-dev@ws.apache.org
> > > Subject: RV: AES - newbie question
> > >
> > > Sorry, just to clarify that this issue is
> > happening with WSS4J.
> > > /Enric
> > >
> > >
> > > --- Enric Jaen <en...@yahoo.es> escribió:
> > >
> > > > Fecha: Mon, 28 May 2007 09:31:19 +0200 (CEST)
> > > > De: Enric Jaen <en...@yahoo.es>
> > > > Asunto: AES - newbie question
> > > > Para: wss4j-dev@ws.apache.org
> > > >
> > > >
> > > > Hi, I am quite newbie about security and I
> have
> > a simple question:
> > > >
> > > > When encrypting the data I am forcing the same
> > key, but I
> > > have noticed
> > > > that the encrypted data is different in each
> > call. Shouldn't it be
> > > > always the same?
> > > >
> > > > Thanks for any explanation,
> > > >
> > > > /Enric
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> >
>
______________________________________________________________
> > > ______________________
> > > > ¡Descubre una nueva forma de obtener
> respuestas
> > a tus preguntas!
> > > > Entra en Yahoo! Respuestas.
> > > > http://es.answers.yahoo.com/info/welcome
> > > >
> > >
> > >
> > >
> > >
> > > ______________________________________________
> > > LLama Gratis a cualquier PC del Mundo.
> > > Llamadas a fijos y móviles desde 1 céntimo por
> > minuto.
> > > http://es.voice.yahoo.com
> > >
> > >
> >
>
---------------------------------------------------------------------
> > > To unsubscribe, e-mail:
> > wss4j-dev-unsubscribe@ws.apache.org
> > > For additional commands, e-mail:
> > wss4j-dev-help@ws.apache.org
> > >
> > >
> >
>
>
>
>
> ______________________________________________
> LLama Gratis a cualquier PC del Mundo.
> Llamadas a fijos y móviles desde 1 céntimo por
> minuto.
> http://es.voice.yahoo.com
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail:
> wss4j-dev-help@ws.apache.org
>
______________________________________________
LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.
http://es.voice.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
RE: AES - newbie question - how to fix key & IV
Posted by "Da Cruz Pinto, Juan M" <ju...@intel.com>.
Hi Enric,
To have a fixed encryption key for AES, you should avoid using public key cryptography (which is used for key transport). There are two ways of sharing the AES encryption key between the two parties that want to communicate with SOAP:
- Random AES Key: This is transported with RSA pubkey. This mode won't be useful in your case.
- Pre-Shared Secret: The Key is defined between the two parties before sending the SOAP messages. This is the mode you should try.
If you are really trying to test interoperability, both of these modes should be working (no matter if you are working with PHP, JAVA or C++). Nevertheless, for your testing purposes, I recommend you to try the second mode (pre-shared secret).
Also, I wouldn't expect the IV to be the problem. If you are trying to mess with the IV, you can check what Java Security Provider you are using, and figure out how AES works in there.
Regards,
Marcelo.
-----Original Message-----
From: Enric Jaen [mailto:enricjaen@yahoo.es]
Sent: Thursday, May 31, 2007 11:17
To: Da Cruz Pinto, Juan M; wss4j-dev@ws.apache.org
Subject: RE: AES - newbie question - how to fix key & IV
Juan, Chu many thanks for your responses.
Do you know how to fix in WSS4J the key and the
initialization vector (IV)? This way I could repeat
the calls with the same payload, in order to test the
PHP - WSS4J interoperability. WSS4J depends on Apache
XmlSec and javax.crypto, and I have not seen the way
to do that.
Regards,
/Enric
--- "Da Cruz Pinto, Juan M"
<ju...@intel.com> escribió:
> Hi Enric,
>
> Regarding the EncryptedKey, it will always be
> different, because it's randomly generated each
> time, unless you specify a fixed symmetric key
> (shared secret). I'm not an expert on WSS4J, but the
> normal procedure is (somebody please correct me if
> I'm wrong):
> - Generate a random key [K] (to be used for
> symmetric encryption)
> - RSA-Encrypt the random key (pub-key cryptography).
> This will be stored in the EncryptedKey Element in
> the security header.
> - [DES/AES]-Encrypt the real data with [K]
> (symmetric key cryptography). This will be stored in
> the EncryptedData element, which will replace the
> real data.
>
> So, normally, I would expect to have a different
> EncryptedKey each time, and as a consequence the
> EncryptedData will be different too. The only way to
> have a fixed key is to use a pre-shared secret.
>
> Regards,
> Marcelo.
>
>
> -----Original Message-----
> From: Enric Jaen [mailto:enricjaen@yahoo.es]
> Sent: Wednesday, May 30, 2007 08:41
> To: wss4j-dev@ws.apache.org
> Subject: RE: AES - newbie question
>
> Thanks a lot for the response, Chang.
>
> I was refering more to the data encrypted in the
> payload of a SOAP message (thereby the AES in the
> title), although I have noticed that the
> encryptedKey
> is also different each time.
>
> The reason efectively seems that is what you said:
> random numbers.
>
> Respect to the payload, after looking at the source
> code, seems that the JDK class javax.crypto.Chipher
> generates a random IV. I don't know if there is a
> way
> to generate a fixed IV.
>
> Respect to the encryptedKey, seems that is the
> padding
>
> what is generated randomly.
>
> I have read that this is so for security reasons,
> which makes sense in a general case.
>
> The problem of all that is that WSS4J doesn't
> decrypt
> well the payload encrypted with the PHP's mcrypt
> funcions, and I am trying to find the reason.
>
> Best regards,
>
> /Enric
>
>
>
>
> --- CHANG Shuh <sh...@gemalto.com> escribió:
>
> > It's hard to say without knowing more about your
> > scenario. However, there might be some clues for
> > that. For example, in UsernameToken, there are two
> > possible factors that could affect the outcome of
> > the password digest (which may or may not be
> related
> > to what you were referring to as encrypted data):
> > random number (nonce) and timestamp (created).
> Each
> > time you make a call, you would get a different
> > nonce and timestamp, and therefore different
> > password digest even though you use the same
> > password each time...
> >
> > Regards,
> > Shuh
> >
> >
> > > -----Original Message-----
> > > From: Enric Jaen [mailto:enricjaen@yahoo.es]
> > > Sent: Monday, May 28, 2007 9:37 AM
> > > To: wss4j-dev@ws.apache.org
> > > Subject: RV: AES - newbie question
> > >
> > > Sorry, just to clarify that this issue is
> > happening with WSS4J.
> > > /Enric
> > >
> > >
> > > --- Enric Jaen <en...@yahoo.es> escribió:
> > >
> > > > Fecha: Mon, 28 May 2007 09:31:19 +0200 (CEST)
> > > > De: Enric Jaen <en...@yahoo.es>
> > > > Asunto: AES - newbie question
> > > > Para: wss4j-dev@ws.apache.org
> > > >
> > > >
> > > > Hi, I am quite newbie about security and I
> have
> > a simple question:
> > > >
> > > > When encrypting the data I am forcing the same
> > key, but I
> > > have noticed
> > > > that the encrypted data is different in each
> > call. Shouldn't it be
> > > > always the same?
> > > >
> > > > Thanks for any explanation,
> > > >
> > > > /Enric
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> >
>
______________________________________________________________
> > > ______________________
> > > > ¡Descubre una nueva forma de obtener
> respuestas
> > a tus preguntas!
> > > > Entra en Yahoo! Respuestas.
> > > > http://es.answers.yahoo.com/info/welcome
> > > >
> > >
> > >
> > >
> > >
> > > ______________________________________________
> > > LLama Gratis a cualquier PC del Mundo.
> > > Llamadas a fijos y móviles desde 1 céntimo por
> > minuto.
> > > http://es.voice.yahoo.com
> > >
> > >
> >
>
---------------------------------------------------------------------
> > > To unsubscribe, e-mail:
> > wss4j-dev-unsubscribe@ws.apache.org
> > > For additional commands, e-mail:
> > wss4j-dev-help@ws.apache.org
> > >
> > >
> >
>
>
>
>
> ______________________________________________
> LLama Gratis a cualquier PC del Mundo.
> Llamadas a fijos y móviles desde 1 céntimo por
> minuto.
> http://es.voice.yahoo.com
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail:
> wss4j-dev-help@ws.apache.org
>
______________________________________________
LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.
http://es.voice.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org