cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andi Abes" <aa...@progress.com>
Subject RE: WS-Security/UsernameToken signature with CXF
Date Tue, 02 Sep 2008 22:08:00 GMT
One more thing which might help is the 1.1 version of the username token
profile
(http://www.oasis-open.org/committees/download.php/16782/wss-v1.1-spec-o
s-UsernameTokenProfile.pdf)

Section 4 describes the procedure to derive keys based on information in
the token.

The jist of it is that 2 additional elements are added to the token:
Salt and iterations. These 2 are then used in the following algorithm:

386 The key is derived as follows. The password (which is UTF-8 encoded)
and Salt are
387 concatenated in that order. Only the actual octets of the password
are used, it is not padded or
388 zero terminated. This value is hashed using the SHA1 algorithm. The
result of this operation is
389 also hashed using SHA1. This process is repeated until the total
number of hash operations
390 equals the Iteration count.
391
392 In other words: K1 = SHA1( password + Salt)
393 K2 = SHA1( K1 )
394 ...
395 Kn = SHA1 ( Kn-1)
396 Where + means concatenation and n is the iteration count.
397
398 The resulting 160 bit value is used in a MAC function or truncated
to the appropriate length for
399 encryption


HTH,
A.

> -----Original Message-----
> From: Steve Shaw [mailto:steve@intelliware.ca]
> Sent: Tuesday, September 02, 2008 1:20 PM
> To: users@cxf.apache.org
> Subject: Re: WS-Security/UsernameToken signature with CXF
> 
> On Fri, 2008-08-29 at 15:58 -0700, Glen Mazza wrote:
> 
> > BTW, do you know of any web-available articles on signing with
username
> > tokens?  I'd like to read up more on this so I can understand it
better.
> 
> That's an excellent question. I wasn't able to scrape together a
> definitive resource, but here are some links that may be useful:
> 
> Some stuff from MSDN:
> http://msdn.microsoft.com/en-us/library/aa529558.aspx
> 
> Article discussing how to do it with .NET:
>
http://www.codeproject.com/KB/XML/WSE30UsernameAssertion.aspx?display=Pr
in
> t
> 
> Code sample that I used to generate my client code:
> http://www.mail-archive.com/wss4j-dev@ws.apache.org/msg02035.html
> 
> Beyond that, I looked through some of the CXF and WSS4J code to try to
> determine what's going on.
> org.apache.ws.security.action.UsernameTokenSignedAction is the WSS4J
> class that does a lot of the gruntwork.
> 
> I'd be happy to hear if you find any more references to using this
sort
> of digital signature.
> 
> -Steve

Mime
View raw message