axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "José Ferreiro" <jose.ferre...@gmail.com>
Subject WSS4J: Hybrid system (Symmetric and asymmetric cryptography)
Date Mon, 21 Apr 2008 15:02:58 GMT
*Hello,*
**
Definitions:
Asymmetric cryptography: Form of cryptography in which a user has a pair of
cryptographic keys (a *public key* and a *private key*)
Symmetric cryptography:  Form of cryptography in which many user shared a
secret-key (*single key*)

*WSS4J works as follows for encryption*:

WSS4J generates a random session key (*single key*) for every new "session"
(SOAP message), encrypts the data using the *single key*.
The server's *public key* (usually contained in a X.509 certificate)
encrypts the *session key* and packs it into the relevant SOAP header
structure.

Is this correct?
Which is the default *symmetric* algorithm to encrypt the SOAP body data in
WSS4J? Is it aes128-cbc?
Which is the default *asymmetric* algorithm to encrypt the symmetric
key (*single
key*) in WSS4J? Is it RSA?


*WSS4J works as follows for signing*:

The client uses its *private key* to sign the SOAP body. The server uses the
client's public key to check the signature of the SOAP body content using a
cryptographic hash fuction.
The client's public key is usually contained in a signed certificate by a
Certificate Authority (such as Verisign)

Is this correct?
 Which is the default hash algorithm to sign the SOA body data in WSS4J? Is
it SHA-1?

Thank you in advance for your comments.

Jose Ferreiro

Mime
View raw message