OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: HMAC Key Derivation in UsernameToken Profile


All,

An XML Digital Signature doesn't mix the shared secret with 'salt'
information before an hmac-sha1 authentication code is generated. That
is, the key is the same as the utf8 encoded password.

Nowhere in the core spec or in the username token profile is it
mentioned how the input to the HMAC-SHA1 alg. (aka RFC2104) is generated
from the password. 

My assumption then is that there is NO extra salt information combined
with the shared secret before it is used to generate the MAC. Can we
make this clear?

Some existing WS-Security implementations are taking liberties and
adding extra salt information (such as nonce, time stamp, etc).

Is there something that I missed here? It seems like leaving this
unspecified will produce wildly un-interoperable messages. Can someone
explain to me why this is the case? Did I completely miss something
here?

Thanks,

Blake Dournaee
Senior Security Architect
Sarvega, Inc.
http://www.sarvega.com/





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]