You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by Nandana Mihindukulasooriya <na...@gmail.com> on 2007/10/03 05:54:55 UTC
DerivedKeys in SymmetricBinding
Hi,
In Ramaprt, when we use derived keys in a symmetric binding assertion
with X509Token, in client side
we create an encrypted key encrypted for servers certificate and use the
ephemeral key of that encrypted key
to create the DerivedKeys. When the server sends it's response back to the
client, it does the same, by creating
an encrypted key for the client certificate and using ephemeral key of that
encrypted key to create the DerivedKeys.
But this prevents the scenario that anonymous clients sending requests to
the service because we have to have the
clients certificate to create the encrypted key in the response.
This could be avoided if we use the same ephemeral key to create all the
derived keys in both request and the
response. In the response, we can provide a security token reference in
derived keys using a key identifier to
the encrypted key used in the request as defined in the section
7.7Encrypted Key reference of the specification
wss 1.1 Soap Message Security. Is this the right way to go ?
Regards,
Nandana
Re: DerivedKeys in SymmetricBinding
Posted by Ruchith Fernando <ru...@apache.org>.
Nandana Mihindukulasooriya wrote:
> Hi,
> Created a jira issue on this.
> http://issues.apache.org/jira/browse/RAMPART-94
>
> I am currently working on this issue. Btw, this seems to trigger fairly
> big change in related classes in Rampart and WSS4J. But IMHO,
> I think it is worth changing the implementation.
Sure... go for it!
Thanks,
Ruchith
>
> Regards,
> Nandana
>
> On 10/5/07, Ruchith Fernando <ru...@apache.org> wrote:
>> Yes agreed ... this is a bug in Rampart ... In the case where we use the
>> SymmetricBinding the recipient has to use the ephemeral key sent by the
>> initiator to derive keys. In the case where key derivation is not
>> required the recipient should use the ephemeral key it self for
>> signature and encryption.
>>
>> Nandana can you please raise a JIRA issue on this?
>>
>> Thanks,
>> Ruchith
>>
>> Nandana Mihindukulasooriya wrote:
>>> Hi,
>>> In Ramaprt, when we use derived keys in a symmetric
>> binding assertion
>>> with X509Token, in client side
>>> we create an encrypted key encrypted for servers certificate and use
>> the
>>> ephemeral key of that encrypted key
>>> to create the DerivedKeys. When the server sends it's response back to
>> the
>>> client, it does the same, by creating
>>> an encrypted key for the client certificate and using ephemeral key of
>> that
>>> encrypted key to create the DerivedKeys.
>>> But this prevents the scenario that anonymous clients sending requests
>> to
>>> the service because we have to have the
>>> clients certificate to create the encrypted key in the response.
>>> This could be avoided if we use the same ephemeral key to create all
>> the
>>> derived keys in both request and the
>>> response. In the response, we can provide a security token reference in
>>> derived keys using a key identifier to
>>> the encrypted key used in the request as defined in the section
>>> 7.7Encrypted Key reference of the specification
>>> wss 1.1 Soap Message Security. Is this the right way to go ?
>>>
>>> Regards,
>>> Nandana
>>>
>>
>>
>>
>>
>
Re: DerivedKeys in SymmetricBinding
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi,
Created a jira issue on this.
http://issues.apache.org/jira/browse/RAMPART-94
I am currently working on this issue. Btw, this seems to trigger fairly
big change in related classes in Rampart and WSS4J. But IMHO,
I think it is worth changing the implementation.
Regards,
Nandana
On 10/5/07, Ruchith Fernando <ru...@apache.org> wrote:
>
> Yes agreed ... this is a bug in Rampart ... In the case where we use the
> SymmetricBinding the recipient has to use the ephemeral key sent by the
> initiator to derive keys. In the case where key derivation is not
> required the recipient should use the ephemeral key it self for
> signature and encryption.
>
> Nandana can you please raise a JIRA issue on this?
>
> Thanks,
> Ruchith
>
> Nandana Mihindukulasooriya wrote:
> > Hi,
> > In Ramaprt, when we use derived keys in a symmetric
> binding assertion
> > with X509Token, in client side
> > we create an encrypted key encrypted for servers certificate and use
> the
> > ephemeral key of that encrypted key
> > to create the DerivedKeys. When the server sends it's response back to
> the
> > client, it does the same, by creating
> > an encrypted key for the client certificate and using ephemeral key of
> that
> > encrypted key to create the DerivedKeys.
> > But this prevents the scenario that anonymous clients sending requests
> to
> > the service because we have to have the
> > clients certificate to create the encrypted key in the response.
> > This could be avoided if we use the same ephemeral key to create all
> the
> > derived keys in both request and the
> > response. In the response, we can provide a security token reference in
> > derived keys using a key identifier to
> > the encrypted key used in the request as defined in the section
> > 7.7Encrypted Key reference of the specification
> > wss 1.1 Soap Message Security. Is this the right way to go ?
> >
> > Regards,
> > Nandana
> >
>
>
>
>
>
Re: DerivedKeys in SymmetricBinding
Posted by Ruchith Fernando <ru...@apache.org>.
Yes agreed ... this is a bug in Rampart ... In the case where we use the
SymmetricBinding the recipient has to use the ephemeral key sent by the
initiator to derive keys. In the case where key derivation is not
required the recipient should use the ephemeral key it self for
signature and encryption.
Nandana can you please raise a JIRA issue on this?
Thanks,
Ruchith
Nandana Mihindukulasooriya wrote:
> Hi,
> In Ramaprt, when we use derived keys in a symmetric binding assertion
> with X509Token, in client side
> we create an encrypted key encrypted for servers certificate and use the
> ephemeral key of that encrypted key
> to create the DerivedKeys. When the server sends it's response back to the
> client, it does the same, by creating
> an encrypted key for the client certificate and using ephemeral key of that
> encrypted key to create the DerivedKeys.
> But this prevents the scenario that anonymous clients sending requests to
> the service because we have to have the
> clients certificate to create the encrypted key in the response.
> This could be avoided if we use the same ephemeral key to create all the
> derived keys in both request and the
> response. In the response, we can provide a security token reference in
> derived keys using a key identifier to
> the encrypted key used in the request as defined in the section
> 7.7Encrypted Key reference of the specification
> wss 1.1 Soap Message Security. Is this the right way to go ?
>
> Regards,
> Nandana
>