> Is there not some exchange of the generated key between the client and STS? If the client signs (and encrypts) the request how does > the STS have the generated key to verify signature and decrypt? My original question suggested that it is exchanged by encrypting it > with the STS public key but not sure how it is signed in this exchange. Perhaps the exchange of the generated key isn't signed?
The client generates the Symmetric Key and then encrypts it with the public key of the STS. The request is signed + encrypted with the Symmetric Key. The STS decrypts the received symmetric key, and uses it to decrypt + verify the signature on the request. So, you are correct in stating that the symmetric key is not itself signed. Colm. On Sun, May 5, 2013 at 8:56 PM, Josh Hill <[email protected]> wrote: > Andrei, > > Yes I have the IssuedToken policy on the WSP (not shown). The below > policies are on my STS service. The question was in regards to connecting > to the STS service to have a token issued (or renewed, or validated). I > authenticate using the SignedEncryptedSupportingTokens UsernameToken. What > I'm trying to figure out is how the key generated by the client for > symmetric binding is exchanged with the STS service so that it can > sign/verify encrypt/decrypt messages with the client. > > > Colm, > > Is there not some exchange of the generated key between the client and > STS? If the client signs (and encrypts) the request how does the STS have > the generated key to verify signature and decrypt? My original question > suggested that it is exchanged by encrypting it with the STS public key but > not sure how it is signed in this exchange. Perhaps the exchange of the > generated key isn't signed? > > I appreciate your time. > > Josh > > > > > Josh Hill > Senior Java Developer > > > sovereign finance and banking software > > A Level 1, Building C, Millennium Centre, 602 Great South Road, Greenlane, > Auckland, New Zealand > D 64 9 571 6812 P 64 9 571 6800 F 64 9 571 6899 > E [email protected] W http://www.finzsoft.com > > Please note: This email contains information that is confidential and may > be privileged. If you are not the intended recipient, you must not peruse, > use, disseminate, distribute or copy this email or attachments. If you have > received this in error, please notify Finzsoft Solutions (New Zealand) Ltd > immediately by return email and delete this email. Thank you. > -----Original Message----- > > > From: Colm O hEigeartaigh [mailto:[email protected]] > > Sent: Saturday, 4 May 2013 12:36 a.m. > > To: [email protected] > > Subject: Re: SymmetricBinding key exchange and signing > > > > The Symmetric key that the client generates signs (and encrypts) the > request > > (SOAP Body). There is no need for a signing certificate as you are using > the > > Symmetric binding. Authentication is enforced via the UsernameToken > > SupportingToken. > > > > Colm. > > > > > > On Fri, May 3, 2013 at 4:25 AM, Josh Hill <[email protected]> > wrote: > > > > > My understanding is that the client generates the symmetric key (as > > > defined by the sp:ProtectionToken i.e. a sp:X509Token) and encrypts it > > > using the STS's public key (configured on client using > > > "ws-security.encryption.properties\username"). When sending this > > > encrypted key to the STS what is it signed with? I haven't set the > > > "ws-security.signature.properties\username" on my client but the input > > > policy on the STS requires the sp:Body be signed. **** > > > > > > ** ** > > > > > > ...**** > > > > > > <entry key="ws-security.sts.client">**** > > > > > > <bean > > > class="org.apache.cxf.ws.security.trust.STSClient">* > > > *** > > > > > > <constructor-arg ref="cxf" />**** > > > > > > <property name="wsdlLocation" value=" > > > http://localhost:8080/STS?wsdl"; />**** > > > > > > <property name="serviceName" value="{ > > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService > > > " /> > > > **** > > > > > > <property name="endpointName" value="{ > > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}STS_Port"; />**** > > > > > > <property name="properties">**** > > > > > > <map>**** > > > > > > <entry > > > key="ws-security.username" value="bob" />**** > > > > > > <entry > > > key="ws-security.callback-handler" value="ClientCallbackHandler" > > > />**** > > > > > > <entry > > > key="ws-security.encryption.properties" > > > value="clientKeystore.properties" /> > > > **** > > > > > > <entry > > > key="ws-security.encryption.username" value="stskey" />**** > > > > > > </map>**** > > > > > > </property>**** > > > > > > </bean>**** > > > > > > </entry>**** > > > > > > .**** > > > > > > ** ** > > > > > > <wsp:Policy wsu:Id="STS-UT-Policy">**** > > > > > > <wsp:ExactlyOne>**** > > > > > > <wsp:All>**** > > > > > > > > > <sp:SymmetricBinding>**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:ProtectionToken>**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:X509Token sp:IncludeToken=" > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken > > > /Never > > > ">**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:RequireDerivedKeys/>**** > > > > > > > > > <sp:RequireThumbprintReference/>**** > > > > > > > > > <sp:WssX509V3Token10/>**** > > > > > > > > > </wsp:Policy>**** > > > > > > > > > </sp:X509Token>**** > > > > > > > > > </wsp:Policy>**** > > > > > > > > > </sp:ProtectionToken>**** > > > > > > > > > <sp:AlgorithmSuite>**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:Basic256/>**** > > > > > > > > > </wsp:Policy>**** > > > > > > > > > </sp:AlgorithmSuite>**** > > > > > > > > > <sp:Layout>**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:Lax/>**** > > > > > > > > > </wsp:Policy>**** > > > > > > > > > </sp:Layout>**** > > > > > > > > > <sp:IncludeTimestamp/>**** > > > > > > > > > <sp:EncryptSignature/>**** > > > > > > > > > <sp:OnlySignEntireHeadersAndBody/>**** > > > > > > > > > </wsp:Policy>**** > > > > > > > > > </sp:SymmetricBinding>**** > > > > > > > > > <sp:SignedEncryptedSupportingTokens>**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:UsernameToken sp:IncludeToken=" > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken > > > /AlwaysToRecipient > > > ">**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:HashPassword/>**** > > > > > > > > > <sp:WssUsernameToken10/>**** > > > > > > > > > </wsp:Policy>**** > > > > > > > > > </sp:UsernameToken>**** > > > > > > > > > </wsp:Policy>**** > > > > > > > > > </sp:SignedEncryptedSupportingTokens>**** > > > > > > <sp:Wss11>**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:MustSupportRefKeyIdentifier/>**** > > > > > > > > > <sp:MustSupportRefIssuerSerial/>**** > > > > > > > > > <sp:MustSupportRefThumbprint/>**** > > > > > > > > > <sp:MustSupportRefEncryptedKey/>**** > > > > > > > > > </wsp:Policy>**** > > > > > > </sp:Wss11>**** > > > > > > <sp:Trust13>**** > > > > > > > > > <wsp:Policy>**** > > > > > > > > > <sp:MustSupportIssuedTokens/>**** > > > > > > > > > <sp:RequireClientEntropy/>**** > > > > > > > > > <sp:RequireServerEntropy/>**** > > > > > > > > > </wsp:Policy>**** > > > > > > </sp:Trust13>**** > > > > > > </wsp:All>**** > > > > > > </wsp:ExactlyOne>**** > > > > > > </wsp:Policy>**** > > > > > > ** ** > > > > > > <wsp:Policy wsu:Id="STS-Input-Policy">**** > > > > > > <wsp:ExactlyOne>**** > > > > > > <wsp:All>**** > > > > > > <sp:SignedParts>**** > > > > > > > > > <sp:Body/> > > > **** > > > > > > </sp:SignedParts>**** > > > > > > > > > <sp:EncryptedParts>**** > > > > > > > > > <sp:Body/> > > > **** > > > > > > > > > </sp:EncryptedParts>**** > > > > > > </wsp:All>**** > > > > > > </wsp:ExactlyOne>**** > > > > > > </wsp:Policy>**** > > > > > > ** ** > > > > > > <wsp:Policy wsu:Id="STS-Output-Policy">**** > > > > > > <wsp:ExactlyOne>**** > > > > > > <wsp:All>**** > > > > > > <sp:SignedParts>**** > > > > > > > > > <sp:Body/> > > > **** > > > > > > </sp:SignedParts>**** > > > > > > > > > <sp:EncryptedParts>**** > > > > > > > > > <sp:Body/> > > > **** > > > > > > > > > </sp:EncryptedParts>**** > > > > > > </wsp:All>**** > > > > > > </wsp:ExactlyOne>**** > > > > > > </wsp:Policy>**** > > > > > > > > > > > > *Josh Hill* > > > Senior Java Developer > > > > > > > > > > > > [image: Finzsoft - Your Vision + Our Innovations] > > > > > > > > > > > > sovereign finance and banking software > > > > > > > > > > > > *A* Level 1, Building C, Millennium Centre, 602 Great South Road, > > > Greenlane, Auckland, New Zealand > > > *D* 64 9 571 6812 *P* 64 9 571 6800 *F* 64 9 571 6899 > > > *E* [email protected] *W* www.finzsoft.com > > > > > > > > > *Please note*: This email contains information that is > > > confidential and may be privileged. If you are not the intended > > > recipient, you must not peruse, use, disseminate, distribute or copy > this > > email or attachments. > > > If you have received this in error, please notify Finzsoft Solutions > > > (New > > > Zealand) Ltd immediately by return email and delete this email. Thank > you. > > > > > > > > > > > __________________________________________________________ > > ____________ > > > This email has been scanned by the Symantec Email Security.cloud > service. > > > > > __________________________________________________________ > > ____________ > > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > __________________________________________________________ > > ____________ > > This email has been scanned by the Symantec Email Security.cloud service. > > __________________________________________________________ > > ____________ > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > ______________________________________________________________________ > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
