wss-comment message

Subject: Re: [wss-comment] Password Digest
From: "Frank Balluffi" <frank.balluffi@db.com>
To: "Jerry Schwarz <jerry.schwarz" <jerry.schwarz@oracle.com>
Date: Wed, 8 Oct 2003 08:28:57 -0400

Jerry Schwarz said:

"Put the password in clear into the UsernameToken and then encrypt the UsernameToken. And no, WS-Security doesn't tell you how to distribute the public key to all the clients."

Though it is not a standard, http://msdn.microsoft.com/webservices/default.aspx?pull=/library/en-us/dnwebsrv/html/wssecdrill.asp contains a bunch of examples, including the following which demonstrates how to encrypt a plaintext UsernameToken:

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="..." xmlns:wsu="..." xmlns:wsse="...">
  <soap:Header>
    ...
    <wsse:Security soap:mustUnderstand="1">
      <xenc:EncryptedKey xmlns:xenc="...">
        <xenc:EncryptionMethod
         Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; />
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
          <wsse:SecurityTokenReference>
            <wsse:KeyIdentifier ValueType="wsse:X509v3">
              PTBv8366Lp0xwHT5nQYl3dhxcMQ=
            </wsse:KeyIdentifier>
          </wsse:SecurityTokenReference>
        </KeyInfo>
        <xenc:CipherData>
          <xenc:CipherValue>
            QKuraT1kaXZAtExp...9G+CuAnngPr4ZUcI=
          </xenc:CipherValue>
        </xenc:CipherData>
        <xenc:ReferenceList>
          <xenc:DataReference URI="#EncryptedContent-a0bf2920" />
        </xenc:ReferenceList>
      </xenc:EncryptedKey>
      <wsse:UsernameToken xmlns:wsu="..." wsu:Id="SecurityToken-d119b99b">
        <xenc:EncryptedData Id="EncryptedContent-a0bf2920"
         Type="http://www.w3.org/2001/04/xmlenc#Content"; xmlns:xenc="...">
          <xenc:EncryptionMethod
           Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"; />
          <xenc:CipherData>
            <xenc:CipherValue>
              oojjtSa1iRsVon...8SiDFQYTRCEXHreJau
            </xenc:CipherValue>
          </xenc:CipherData>
        </xenc:EncryptedData>
      </wsse:UsernameToken>
    </wsse:Security>
  </soap:Header>
  <soap:Body>
    <AddEntry xmlns="http://weblogs.contoso.com/wse/samples/2003/07";>
      <entry>
        <title>Saw Terminator III last night</title>
        <author>Joe Blow</author>
        <issued>2003-07-16T18:05:32.8774608-05:00</issued>
        <content>The special effects were over the top.</content>
      </entry>
    </AddEntry>
  </soap:Body>
</soap:Envelope>

Frank


--

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.