dotnet web services enhancements: What key and iv are created for msg encryption? -- dotnet web services enhancements

What key and iv are created for msg encryption?

William Stacey [MVP]
1/16/2005 12:09:51 PM

dotnet web services enhancements:

When you encrypt the SoapEnvelope using a UsernameToken, what key is being
used for the encryption? How is the key and IV being calculated? I would
think it must be something derived from username and password in the token
or what as no prior session key is negotiated? tia

EncryptedData enc = new EncryptedData(tok);
se.Context.Security.Elements.Add(enc);

--
William Stacey, MVP
http://mvp.support.microsoft.com

Re: What key and iv are created for msg encryption?

Ben Schwehn
1/16/2005 11:06:04 PM

[quoted text, click to view]

playing around with reflector, it seems to me that the key is generated
in UserNameToken.DerivedKeyGenerator using the password as a key to an
System.Security.Cryptography.HMACSHA1.

The nonce and the Created time are used as a seed for the hash algorithm
in HMACSHA1.

Nonce and Created time (and the username) are sent in the soap request
in clear text as in

<wsse:UsernameToken
wsu:Id="SecurityToken-0fb69da4-ac7d-4c83-b0de-6826e702fde8">
<wsse:Username>bob</wsse:Username>
<wsse:Nonce>F25bMBERpnprp8btClB60g==</wsse:Nonce>
<wsu:Created>2004-11-07T23:22:47Z</wsu:Created>
</wsse:UsernameToken>

so that the recieving end can use it in combination with the password
for decryption.

Unlike System.Security.Cryptography.SymmetricAlgorithm,
Microsoft.Web.Services2.Security.Cryptography.SymmetricKeyAlgorithm
doesn't seem to use an init vector IV.

hth
--
Ben