I was thinking that Username/Password is for 'authentication', and that the symmetric key is for encryption/'confidentiality', but how does 'integrity' come in?We have got a Web Service that needs to be secured. The choice has been made to use WSIT-security in particulair the mechanism also known as:
"Username Authentication with Symmetric Keys".
What is/are the correct statement(s)?
Supplied correct answers:
- The WSIT client-side configuration file will contain the following policy:
<wsp:Policy wsu:Id="WebServicePortBindingPolicy"> <wsp:ExactlyOne>
<wsp:All>
<sc:CallbackHandlerConfiguration wspp:visibility="private">
<sc:CallbackHandler default="wsitUser" name="usernameHandler"/>
<sc:CallbackHandler default="changeit" name="passwordHandler"/>
</sc:CallbackHandlerConfiguration>
<sc:TrustStore wspp:visibility="private" peeralias="xws-security-server" storepass="changeit" type="JKS" location="C:\glassfish-4.0\glassfish\domains\domain1\config\cacerts.jks"/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
- This WSIT-mechanism protects the Web Service for 'integrity' and 'confidentiality'.
About Question enthuware.ocejws.v6.2.328 :
Moderators: Site Manager, fjwalraven
-
- Posts: 41
- Joined: Mon Oct 27, 2014 11:35 pm
- Contact:
About Question enthuware.ocejws.v6.2.328 :
The question is:
-
- Posts: 41
- Joined: Mon Oct 27, 2014 11:35 pm
- Contact:
Re: About Question enthuware.ocejws.v6.2.328 :
My idea was that any of the signature techniques satisfies 'integrity'.
-
- Posts: 41
- Joined: Mon Oct 27, 2014 11:35 pm
- Contact:
Re: About Question enthuware.ocejws.v6.2.328 :
... but how does 'integrity' come in?
-
- Posts: 429
- Joined: Tue Jul 24, 2012 2:43 am
- Contact:
Re: About Question enthuware.ocejws.v6.2.328 :
Key points to remember:
Integrity & Non-repudiation - signing of SOAP messages
Confidentiality - encrypting of SOAP messages
From the WSIT-tutorial:
Frits
Integrity & Non-repudiation - signing of SOAP messages
Confidentiality - encrypting of SOAP messages
From the WSIT-tutorial:
Regards,Username Authentication with Symmetric Keys
The Username Authentication with Symmetric Keys mechanism protects your
application for integrity and confidentiality. Symmetric key cryptography relies
on a single, shared secret key that is used to both sign and encrypt a message.
Symmetric keys are usually faster than public key cryptography.
For this mechanism, the client does not possess any certificate/key of his own,
but instead sends its username/password for authentication. The client shares a
secret key with the server. The shared, symmetric key is generated at runtime
and encrypted using the service’s certificate. The client must specify the alias in
the truststore by identifying the server’s certificate alias.
Frits
-
- Posts: 31
- Joined: Wed Mar 16, 2016 8:38 am
- Contact:
Re: About Question enthuware.ocejws.v6.2.328 :
Hallo Frits
why is the last Statement wrong? Symmetric key does mean that the key is used to both sign and encrypt a message.
Thank you in advance!
Regards
Fabio
why is the last Statement wrong? Symmetric key does mean that the key is used to both sign and encrypt a message.
Thank you in advance!
Regards
Fabio
-
- Posts: 429
- Joined: Tue Jul 24, 2012 2:43 am
- Contact:
Re: About Question enthuware.ocejws.v6.2.328 :
Hi Fabio,
You are right, the last answer is correct!
Thanks for your feedback,
Frits
You are right, the last answer is correct!
Thanks for your feedback,
Frits
Who is online
Users browsing this forum: No registered users and 136 guests