axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "José Ferreiro" <jose.ferre...@gmail.com>
Subject Re: WSS4J: Hybrid system (Symmetric and asymmetric cryptography)
Date Mon, 21 Apr 2008 19:51:41 GMT
Thank you for your reply Werner!

By the way, I found this interesting article explaining the *Mechanics of
WS-Security*.
Additionally it has some UML sequence diagrams corresponding to a *r**eal-world
WS-Security scenario*.

Regards,

Jose Ferreiro

On 4/21/08, Dittmann, Werner (NSN - DE/Muenich) <werner.dittmann@nsn.com>
wrote:
>
>  Jose,
>
> most of your question relate to the WS-Security specifications. Would you
> be so
> kind and refer to these specifications (OASIS Web Service Security). The
> WSS4J
> documentation (mostly Javadoc) and interop/demo programs give you some
> more information how to use and deply WSS4J in Axis1 and Axis2
> environments
>
> Best regards,
> Werner
>
>
>  ------------------------------
>  *Von:* ext José Ferreiro [mailto:jose.ferreiro@gmail.com]
> *Gesendet:* Montag, 21. April 2008 17:03
> *An:* wss4j-dev@ws.apache.org; axis-user@ws.apache.org
> *Betreff:* WSS4J: Hybrid system (Symmetric and asymmetric cryptography)
>
>
>
>  *Hello,*
> **
> Definitions:
> Asymmetric cryptography: Form of cryptography in which a user has a pair
> of cryptographic keys (a *public key* and a *private key*)
> Symmetric cryptography:  Form of cryptography in which many user shared a
> secret-key (*single key*)
>
> *WSS4J works as follows for encryption*:
>
> WSS4J generates a random session key (*single key*) for every new
> "session" (SOAP message), encrypts the data using the *single key*.
> The server's *public key* (usually contained in a X.509 certificate)
> encrypts the *session key* and packs it into the relevant SOAP header
> structure.
>
> Is this correct?
> Which is the default *symmetric* algorithm to encrypt the SOAP body data
> in WSS4J? Is it aes128-cbc?
> Which is the default *asymmetric* algorithm to encrypt the symmetric key (
> *single key*) in WSS4J? Is it RSA?
>
>
> *WSS4J works as follows for signing*:
>
> The client uses its *private key* to sign the SOAP body. The server uses
> the client's public key to check the signature of the SOAP body content
> using a cryptographic hash fuction.
> The client's public key is usually contained in a signed certificate by a
> Certificate Authority (such as Verisign)
>
> Is this correct?
>  Which is the default hash algorithm to sign the SOA body data in WSS4J?
> Is it SHA-1?
>
> Thank you in advance for your comments.
>
> Jose Ferreiro
>
>
>
>
>
>


-- 
José Ferreiro
EPFL Communication Systems engineer
ing.sys.com.dipl.EPFL

"Think little goals and expect little achievements. Think big goals and win
big success."  David Joseph Schwartz
Mime
View raw message