I was thinking that Username/Password is for 'authentication', and that the symmetric key is for encryption/'confidentiality', but how does 'integrity' come in?We have got a Web Service that needs to be secured. The choice has been made to use WSIT-security in particulair the mechanism also known as:
"Username Authentication with Symmetric Keys".
What is/are the correct statement(s)?
Supplied correct answers:
- The WSIT client-side configuration file will contain the following policy:
<wsp:Policy wsu:Id="WebServicePortBindingPolicy"> <wsp:ExactlyOne>
<sc:CallbackHandler default="wsitUser" name="usernameHandler"/>
<sc:CallbackHandler default="changeit" name="passwordHandler"/>
<sc:TrustStore wspp:visibility="private" peeralias="xws-security-server" storepass="changeit" type="JKS" location="C:\glassfish-4.0\glassfish\domains\domain1\config\cacerts.jks"/>
- This WSIT-mechanism protects the Web Service for 'integrity' and 'confidentiality'.
- Posts: 41
- Joined: Mon Oct 27, 2014 11:35 pm
- Posts: 429
- Joined: Tue Jul 24, 2012 2:43 am
Integrity & Non-repudiation - signing of SOAP messages
Confidentiality - encrypting of SOAP messages
From the WSIT-tutorial:
Regards,Username Authentication with Symmetric Keys
The Username Authentication with Symmetric Keys mechanism protects your
application for integrity and confidentiality. Symmetric key cryptography relies
on a single, shared secret key that is used to both sign and encrypt a message.
Symmetric keys are usually faster than public key cryptography.
For this mechanism, the client does not possess any certificate/key of his own,
but instead sends its username/password for authentication. The client shares a
secret key with the server. The shared, symmetric key is generated at runtime
and encrypted using the service’s certificate. The client must specify the alias in
the truststore by identifying the server’s certificate alias.
Users browsing this forum: No registered users and 4 guests