*Hello,* ** Definitions: Asymmetric cryptography: Form of cryptography in which a user has a pair of cryptographic keys (a *public key* and a *private key*) Symmetric cryptography: Form of cryptography in which many user shared a secret-key (*single key*)
*WSS4J works as follows for encryption*: WSS4J generates a random session key (*single key*) for every new "session" (SOAP message), encrypts the data using the *single key*. The server's *public key* (usually contained in a X.509 certificate) encrypts the *session key* and packs it into the relevant SOAP header structure. Is this correct? Which is the default *symmetric* algorithm to encrypt the SOAP body data in WSS4J? Is it aes128-cbc? Which is the default *asymmetric* algorithm to encrypt the symmetric key (*single key*) in WSS4J? Is it RSA? *WSS4J works as follows for signing*: The client uses its *private key* to sign the SOAP body. The server uses the client's public key to check the signature of the SOAP body content using a cryptographic hash fuction. The client's public key is usually contained in a signed certificate by a Certificate Authority (such as Verisign) Is this correct? Which is the default hash algorithm to sign the SOA body data in WSS4J? Is it SHA-1? Thank you in advance for your comments. Jose Ferreiro
