About Question enthuware.ocejws.v6.2.328 :

Moderators: Site Manager, fjwalraven

Post Reply
austinor
Posts: 41
Joined: Mon Oct 27, 2014 11:35 pm
Contact:

About Question enthuware.ocejws.v6.2.328 :

Post by austinor »

The question is:
We have got a Web Service that needs to be secured. The choice has been made to use WSIT-security in particulair the mechanism also known as:
"Username Authentication with Symmetric Keys".

What is/are the correct statement(s)?

Supplied correct answers:

- The WSIT client-side configuration file will contain the following policy:

<wsp:Policy wsu:Id="WebServicePortBindingPolicy">   <wsp:ExactlyOne>
     <wsp:All>
      <sc:CallbackHandlerConfiguration wspp:visibility="private">
          <sc:CallbackHandler default="wsitUser" name="usernameHandler"/>
          <sc:CallbackHandler default="changeit" name="passwordHandler"/>
       </sc:CallbackHandlerConfiguration>
      <sc:TrustStore wspp:visibility="private" peeralias="xws-security-server" storepass="changeit" type="JKS" location="C:\glassfish-4.0\glassfish\domains\domain1\config\cacerts.jks"/>
     </wsp:All>
  </wsp:ExactlyOne>
</wsp:Policy>

- This WSIT-mechanism protects the Web Service for 'integrity' and 'confidentiality'.
I was thinking that Username/Password is for 'authentication', and that the symmetric key is for encryption/'confidentiality', but how does 'integrity' come in?

austinor
Posts: 41
Joined: Mon Oct 27, 2014 11:35 pm
Contact:

Re: About Question enthuware.ocejws.v6.2.328 :

Post by austinor »

My idea was that any of the signature techniques satisfies 'integrity'.

austinor
Posts: 41
Joined: Mon Oct 27, 2014 11:35 pm
Contact:

Re: About Question enthuware.ocejws.v6.2.328 :

Post by austinor »

... but how does 'integrity' come in?

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.328 :

Post by fjwalraven »

Key points to remember:

Integrity & Non-repudiation - signing of SOAP messages
Confidentiality - encrypting of SOAP messages

From the WSIT-tutorial:
Username Authentication with Symmetric Keys
The Username Authentication with Symmetric Keys mechanism protects your
application for integrity and confidentiality. Symmetric key cryptography relies
on a single, shared secret key that is used to both sign and encrypt a message.
Symmetric keys are usually faster than public key cryptography.
For this mechanism, the client does not possess any certificate/key of his own,
but instead sends its username/password for authentication. The client shares a
secret key with the server. The shared, symmetric key is generated at runtime
and encrypted using the service’s certificate. The client must specify the alias in
the truststore by identifying the server’s certificate alias.
Regards,
Frits

javabean68
Posts: 31
Joined: Wed Mar 16, 2016 8:38 am
Contact:

Re: About Question enthuware.ocejws.v6.2.328 :

Post by javabean68 »

Hallo Frits

why is the last Statement wrong? Symmetric key does mean that the key is used to both sign and encrypt a message.

Thank you in advance!
Regards
Fabio

fjwalraven
Posts: 429
Joined: Tue Jul 24, 2012 2:43 am
Contact:

Re: About Question enthuware.ocejws.v6.2.328 :

Post by fjwalraven »

Hi Fabio,

You are right, the last answer is correct!

Thanks for your feedback,

Frits

Post Reply

Who is online

Users browsing this forum: No registered users and 22 guests