Page 1 of 1

About Question enthuware.ocejws.v6.2.328 :

Posted: Wed Nov 05, 2014 1:02 pm
by austinor
The question is:
We have got a Web Service that needs to be secured. The choice has been made to use WSIT-security in particulair the mechanism also known as:
"Username Authentication with Symmetric Keys".

What is/are the correct statement(s)?

Supplied correct answers:

- The WSIT client-side configuration file will contain the following policy:

<wsp:Policy wsu:Id="WebServicePortBindingPolicy">   <wsp:ExactlyOne>
     <wsp:All>
      <sc:CallbackHandlerConfiguration wspp:visibility="private">
          <sc:CallbackHandler default="wsitUser" name="usernameHandler"/>
          <sc:CallbackHandler default="changeit" name="passwordHandler"/>
       </sc:CallbackHandlerConfiguration>
      <sc:TrustStore wspp:visibility="private" peeralias="xws-security-server" storepass="changeit" type="JKS" location="C:\glassfish-4.0\glassfish\domains\domain1\config\cacerts.jks"/>
     </wsp:All>
  </wsp:ExactlyOne>
</wsp:Policy>

- This WSIT-mechanism protects the Web Service for 'integrity' and 'confidentiality'.
I was thinking that Username/Password is for 'authentication', and that the symmetric key is for encryption/'confidentiality', but how does 'integrity' come in?

Re: About Question enthuware.ocejws.v6.2.328 :

Posted: Wed Nov 05, 2014 1:04 pm
by austinor
My idea was that any of the signature techniques satisfies 'integrity'.

Re: About Question enthuware.ocejws.v6.2.328 :

Posted: Thu Nov 06, 2014 1:10 am
by austinor
... but how does 'integrity' come in?

Re: About Question enthuware.ocejws.v6.2.328 :

Posted: Thu Nov 06, 2014 3:39 pm
by fjwalraven
Key points to remember:

Integrity & Non-repudiation - signing of SOAP messages
Confidentiality - encrypting of SOAP messages

From the WSIT-tutorial:
Username Authentication with Symmetric Keys
The Username Authentication with Symmetric Keys mechanism protects your
application for integrity and confidentiality. Symmetric key cryptography relies
on a single, shared secret key that is used to both sign and encrypt a message.
Symmetric keys are usually faster than public key cryptography.
For this mechanism, the client does not possess any certificate/key of his own,
but instead sends its username/password for authentication. The client shares a
secret key with the server. The shared, symmetric key is generated at runtime
and encrypted using the service’s certificate. The client must specify the alias in
the truststore by identifying the server’s certificate alias.
Regards,
Frits

Re: About Question enthuware.ocejws.v6.2.328 :

Posted: Sat Jun 09, 2018 10:10 am
by javabean68
Hallo Frits

why is the last Statement wrong? Symmetric key does mean that the key is used to both sign and encrypt a message.

Thank you in advance!
Regards
Fabio

Re: About Question enthuware.ocejws.v6.2.328 :

Posted: Sat Jun 09, 2018 12:26 pm
by fjwalraven
Hi Fabio,

You are right, the last answer is correct!

Thanks for your feedback,

Frits