OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [wss] Add XML Encryption to wsse:Username token


Authentication using username/password is supported almost all systems. To support these systems, the core specification includes the Username token for authentication. The token is supported in two variants based on text transmission (wsse:PasswordText) or digested transmission of the password (wsse:PasswordDigest).
To enhance the security of the digested password (especially replay attacks), a nonce and a date are additionally digested (password digest = SHA1(nonce+created+password)).
It should be noted, that such an approach may only be used for systems, where the plain text password is known.
Many systems only store the hashed value of the password and thus can not use digested passwords. To improve the security for password authentication, I'd like to propose the following:
WSS supports the use of  XML Encryption. Using XML Encryption, the wss:UsernameToken may be encrypted by the sending party. Before processing the SOAP message, the encrypted parts must be decrypted. To prevent replay attacks, the wsu:created element should be added to the wsse:UsernameToken and systems should not accept passwords older then a certain time. Using this approach, passwords can be send in a secure way without relying on a secure channel.

My proposal is to change the document in the following way:
(Line numbers taken from draft 5)

After Line 479: add the following:

If the digest method can not be supported, the wsse:UsernameToken MAY be encrypted using XML Encryption as described in section 9. When using XML Encryption, the <wsu:Created> timestamp element MUST be added to prevent replay attacks, and it is RECOMMENDED that the receiver rejects wsse:UsernameToken with timestamps older than a given period.
(maybe line 463, 464 should reflect these  changes ans should be changed to :
"However, unless this digested password is send on a secured channel, the digest offers no real additional security regarding replay attacks than sending a plain text password.")

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC