> The client generates the Symmetric Key and then encrypts it with the public > key of the STS. The request is signed + encrypted with the Symmetric Key. The > STS decrypts the received symmetric key, and uses it to decrypt + verify the > signature on the request. So, you are correct in stating that the symmetric > key > is not itself signed.
Thanks Colm. I appreciate your time. I plan on writing a detailed blog post covering the flow and logic behind what is happening between the WSC, WSP, and STS. Something others will hopefully find useful. I see the soap message sent from client to sts contains an xenc:EncryptedKey element which I assume is the client generated symmetric key encrypted using the sts public key. Below this element there are two wsc:DerivedKeyToken elements, these are derived from the symmetric key (once the sts decrypts it) correct? Following these derived key tokens there are two xenc:EncryptedData elements remaining in the header. I assume one of them is the SignedEncryptedSupportingTokens UsernameToken. What would the other be? The message signature encrypted (the sp:EncryptSignature element perhaps)? Josh From: Colm O hEigeartaigh [mailto:[email protected]] Sent: Tuesday, 7 May 2013 1:30 a.m. To: Josh Hill Cc: [email protected] Subject: Re: SymmetricBinding key exchange and signing > Is there not some exchange of the generated key between the client and STS? > If the client signs (and encrypts) the request how does > the STS have the generated key to verify signature and decrypt? My original > question suggested that it is exchanged by encrypting it > with the STS public key but not sure how it is signed in this exchange. > Perhaps the exchange of the generated key isn't signed? The client generates the Symmetric Key and then encrypts it with the public key of the STS. The request is signed + encrypted with the Symmetric Key. The STS decrypts the received symmetric key, and uses it to decrypt + verify the signature on the request. So, you are correct in stating that the symmetric key is not itself signed. Colm. On Sun, May 5, 2013 at 8:56 PM, Josh Hill <[email protected]> wrote: Andrei, Yes I have the IssuedToken policy on the WSP (not shown). The below policies are on my STS service. The question was in regards to connecting to the STS service to have a token issued (or renewed, or validated). I authenticate using the SignedEncryptedSupportingTokens UsernameToken. What I'm trying to figure out is how the key generated by the client for symmetric binding is exchanged with the STS service so that it can sign/verify encrypt/decrypt messages with the client. Colm, Is there not some exchange of the generated key between the client and STS? If the client signs (and encrypts) the request how does the STS have the generated key to verify signature and decrypt? My original question suggested that it is exchanged by encrypting it with the STS public key but not sure how it is signed in this exchange. Perhaps the exchange of the generated key isn't signed? I appreciate your time. Josh > Josh Hill Senior Java Developer sovereign finance and banking software A Level 1, Building C, Millennium Centre, 602 Great South Road, Greenlane, Auckland, New Zealand D 64 9 571 6812 P 64 9 571 6800 F 64 9 571 6899 E [email protected] W http://www.finzsoft.com Please note: This email contains information that is confidential and may be privileged. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this email or attachments. If you have received this in error, please notify Finzsoft Solutions (New Zealand) Ltd immediately by return email and delete this email. Thank you. Josh Hill Senior Java Developer sovereign finance and banking software A Level 1, Building C, Millennium Centre, 602 Great South Road, Greenlane, Auckland, New Zealand D 64 9 571 6812 P 64 9 571 6800 F 64 9 571 6899 E [email protected] W http://www.finzsoft.com Please note: This email contains information that is confidential and may be privileged. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this email or attachments. If you have received this in error, please notify Finzsoft Solutions (New Zealand) Ltd immediately by return email and delete this email. Thank you. -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: Saturday, 4 May 2013 12:36 a.m. > To: [email protected] > Subject: Re: SymmetricBinding key exchange and signing > > The Symmetric key that the client generates signs (and encrypts) the request > (SOAP Body). There is no need for a signing certificate as you are using the > Symmetric binding. Authentication is enforced via the UsernameToken > SupportingToken. > > Colm. > > > On Fri, May 3, 2013 at 4:25 AM, Josh Hill <[email protected]> wrote: > > > My understanding is that the client generates the symmetric key (as > > defined by the sp:ProtectionToken i.e. a sp:X509Token) and encrypts it > > using the STS's public key (configured on client using > > "ws-security.encryption.properties\username"). When sending this > > encrypted key to the STS what is it signed with? I haven't set the > > "ws-security.signature.properties\username" on my client but the input > > policy on the STS requires the sp:Body be signed. **** > > > > ** ** > > > > ...**** > > > > <entry key="ws-security.sts.client">**** > > > > <bean > > class="org.apache.cxf.ws.security.trust.STSClient">* > > *** > > > > <constructor-arg ref="cxf" />**** > > > > <property name="wsdlLocation" value=" > > http://localhost:8080/STS?wsdl"; />**** > > > > <property name="serviceName" value="{ > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService > > " /> > > **** > > > > <property name="endpointName" value="{ > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}STS_Port"; />**** > > > > <property name="properties">**** > > > > <map>**** > > > > <entry > > key="ws-security.username" value="bob" />**** > > > > <entry > > key="ws-security.callback-handler" value="ClientCallbackHandler" > > />**** > > > > <entry > > key="ws-security.encryption.properties" > > value="clientKeystore.properties" /> > > **** > > > > <entry > > key="ws-security.encryption.username" value="stskey" />**** > > > > </map>**** > > > > </property>**** > > > > </bean>**** > > > > </entry>**** > > > > .**** > > > > ** ** > > > > <wsp:Policy wsu:Id="STS-UT-Policy">**** > > > > <wsp:ExactlyOne>**** > > > > <wsp:All>**** > > > > > > <sp:SymmetricBinding>**** > > > > > > <wsp:Policy>**** > > > > > > <sp:ProtectionToken>**** > > > > > > <wsp:Policy>**** > > > > > > <sp:X509Token sp:IncludeToken=" > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken > > /Never > > ">**** > > > > > > <wsp:Policy>**** > > > > > > <sp:RequireDerivedKeys/>**** > > > > > > <sp:RequireThumbprintReference/>**** > > > > > > <sp:WssX509V3Token10/>**** > > > > > > </wsp:Policy>**** > > > > > > </sp:X509Token>**** > > > > > > </wsp:Policy>**** > > > > > > </sp:ProtectionToken>**** > > > > > > <sp:AlgorithmSuite>**** > > > > > > <wsp:Policy>**** > > > > > > <sp:Basic256/>**** > > > > > > </wsp:Policy>**** > > > > > > </sp:AlgorithmSuite>**** > > > > > > <sp:Layout>**** > > > > > > <wsp:Policy>**** > > > > > > <sp:Lax/>**** > > > > > > </wsp:Policy>**** > > > > > > </sp:Layout>**** > > > > > > <sp:IncludeTimestamp/>**** > > > > > > <sp:EncryptSignature/>**** > > > > > > <sp:OnlySignEntireHeadersAndBody/>**** > > > > > > </wsp:Policy>**** > > > > > > </sp:SymmetricBinding>**** > > > > > > <sp:SignedEncryptedSupportingTokens>**** > > > > > > <wsp:Policy>**** > > > > > > <sp:UsernameToken sp:IncludeToken=" > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken > > /AlwaysToRecipient > > ">**** > > > > > > <wsp:Policy>**** > > > > > > <sp:HashPassword/>**** > > > > > > <sp:WssUsernameToken10/>**** > > > > > > </wsp:Policy>**** > > > > > > </sp:UsernameToken>**** > > > > > > </wsp:Policy>**** > > > > > > </sp:SignedEncryptedSupportingTokens>**** > > > > <sp:Wss11>**** > > > > > > <wsp:Policy>**** > > > > > > <sp:MustSupportRefKeyIdentifier/>**** > > > > > > <sp:MustSupportRefIssuerSerial/>**** > > > > > > <sp:MustSupportRefThumbprint/>**** > > > > > > <sp:MustSupportRefEncryptedKey/>**** > > > > > > </wsp:Policy>**** > > > > </sp:Wss11>**** > > > > <sp:Trust13>**** > > > > > > <wsp:Policy>**** > > > > > > <sp:MustSupportIssuedTokens/>**** > > > > > > <sp:RequireClientEntropy/>**** > > > > > > <sp:RequireServerEntropy/>**** > > > > > > </wsp:Policy>**** > > > > </sp:Trust13>**** > > > > </wsp:All>**** > > > > </wsp:ExactlyOne>**** > > > > </wsp:Policy>**** > > > > ** ** > > > > <wsp:Policy wsu:Id="STS-Input-Policy">**** > > > > <wsp:ExactlyOne>**** > > > > <wsp:All>**** > > > > <sp:SignedParts>**** > > > > > > <sp:Body/> > > **** > > > > </sp:SignedParts>**** > > > > > > <sp:EncryptedParts>**** > > > > > > <sp:Body/> > > **** > > > > > > </sp:EncryptedParts>**** > > > > </wsp:All>**** > > > > </wsp:ExactlyOne>**** > > > > </wsp:Policy>**** > > > > ** ** > > > > <wsp:Policy wsu:Id="STS-Output-Policy">**** > > > > <wsp:ExactlyOne>**** > > > > <wsp:All>**** > > > > <sp:SignedParts>**** > > > > > > <sp:Body/> > > **** > > > > </sp:SignedParts>**** > > > > > > <sp:EncryptedParts>**** > > > > > > <sp:Body/> > > **** > > > > > > </sp:EncryptedParts>**** > > > > </wsp:All>**** > > > > </wsp:ExactlyOne>**** > > > > </wsp:Policy>**** > > > > > > > > *Josh Hill* > > Senior Java Developer > > > > > > > > [image: Finzsoft - Your Vision + Our Innovations] > > > > > > > > sovereign finance and banking software > > > > > > > > *A* Level 1, Building C, Millennium Centre, 602 Great South Road, > > Greenlane, Auckland, New Zealand > > *D* 64 9 571 6812 *P* 64 9 571 6800 *F* 64 9 571 6899 > > *E* [email protected] *W* www.finzsoft.com > > > > > > *Please note*: This email contains information that is > > confidential and may be privileged. If you are not the intended > > recipient, you must not peruse, use, disseminate, distribute or copy this > email or attachments. > > If you have received this in error, please notify Finzsoft Solutions > > (New > > Zealand) Ltd immediately by return email and delete this email. Thank you. > > > > > > > __________________________________________________________ > ____________ > > This email has been scanned by the Symantec Email Security.cloud service. > > > __________________________________________________________ > ____________ > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > > __________________________________________________________ > ____________ > This email has been scanned by the Symantec Email Security.cloud service. > __________________________________________________________ > ____________ ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. ______________________________________________________________________ -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. ______________________________________________________________________ ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. ______________________________________________________________________
