You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Frank Cornelis <in...@e-contract.be> on 2015/07/28 11:09:41 UTC
DHKeyValue as ComputedKey
Hi,
For some application we would like to have a proof-of-possession key
with perfect forward secrecy security property.
WS-Trust clearly defines how to compute such key using the PSHA1
algorithm, but not how to properly do this using Diffie-Hellman.
Does anyone have an example on how this should best be incorporated
within the WS-Trust protocol?
Request should contain something like:
<wst:ComputedKeyAlgorithm>
http://www.w3.org/2001/04/xmlenc#DHKeyValue
</wst:ComputedKeyAlgorithm>
<wst:KeyType>
http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
</wst:KeyType>
<???>
<xenc:DHKeyValue>
<xenc:P>...</xenc:P>
<xenc:Q>...</xenc:Q>
<xenc:Generator>...</xenc:Generator>
<xenc:Public>...</xenc:Public>
</xenc:DHKeyValue>
</???>
The response something like:
<wst:RequestedProofToken>
<wst:ComputedKey>
http://www.w3.org/2001/04/xmlenc#DHKeyValue
</wst:ComputedKey>
<???>
<xenc:DHKeyValue>
<xenc:P>...</xenc:P>
<xenc:Q>...</xenc:Q>
<xenc:Generator>...</xenc:Generator>
<xenc:Public>...</xenc:Public>
</xenc:DHKeyValue>
</???>
</wst:RequestedProofToken>
Any suggestions here are welcome.
Mvg,
Frank.
Re: DHKeyValue as ComputedKey
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Frank,
I haven't seen any requirements for this before, and I'm not sure if the
spec accommodates it. Probably the best approach is to define a custom
extension for handling this requirement.
Colm.
On Tue, Jul 28, 2015 at 10:09 AM, Frank Cornelis <in...@e-contract.be> wrote:
> Hi,
>
>
> For some application we would like to have a proof-of-possession key with
> perfect forward secrecy security property.
> WS-Trust clearly defines how to compute such key using the PSHA1
> algorithm, but not how to properly do this using Diffie-Hellman.
> Does anyone have an example on how this should best be incorporated within
> the WS-Trust protocol?
>
> Request should contain something like:
>
> <wst:ComputedKeyAlgorithm>
> http://www.w3.org/2001/04/xmlenc#DHKeyValue
> </wst:ComputedKeyAlgorithm>
> <wst:KeyType>
> http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
> </wst:KeyType>
> <???>
> <xenc:DHKeyValue>
> <xenc:P>...</xenc:P>
> <xenc:Q>...</xenc:Q>
> <xenc:Generator>...</xenc:Generator>
> <xenc:Public>...</xenc:Public>
> </xenc:DHKeyValue>
> </???>
>
>
>
>
> The response something like:
>
> <wst:RequestedProofToken>
> <wst:ComputedKey>
> http://www.w3.org/2001/04/xmlenc#DHKeyValue
> </wst:ComputedKey>
> <???>
> <xenc:DHKeyValue>
> <xenc:P>...</xenc:P>
> <xenc:Q>...</xenc:Q>
> <xenc:Generator>...</xenc:Generator>
> <xenc:Public>...</xenc:Public>
> </xenc:DHKeyValue>
> </???>
> </wst:RequestedProofToken>
>
>
>
> Any suggestions here are welcome.
>
>
> Mvg,
> Frank.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com