Default algorithms in WSE 3.0

WSE 2.0 and 3.0, both provide AES128 + RSA 1.5 as default algorithms for symmetric encryption and key-wrap.
However, AES256 + RSA-OAEP are always recommended for these purposes, and Indigo will ship with that combination as default.

In WSE 2.0, these algorithms could be changed adding some settings in the configuration file:

<microsoft.web.services2>
...
  <security>
  ....
    <binarySecurityTokenManager
      valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
      <sessionKeyAlgorithm name="TripleDES"/>   <!-- add this to switch to TripleDes from default AES128 -->
      <keyAlgorithm name="RSAOAEP"/>  <!-- add this to switch to RSA-OEAP from default RSA15 -->
    </binarySecurityTokenManager>
  </securityƧ>
...
<microsoft.web.services2>

These settings don't affect in the same way to WSE 3.0 because it implements some changes in the code used to secure messages. The security assertions
shipped within WSE 3.0 use different tokens to secure messages, they don't use an X509 security token anymore, instead they use derived tokens.

  • EncryptedToken: Usually, this token is used by the security assertions to sign and encrypt messages.
  • DerivedKeyToken: Only used when the flag "DeriveKeys" is on.
  • SecureContextToken: Only used in secure conversations. (When the flag "establishSecurityContext" is on)

    The following configuration shows how to override the default algorithm used by these tokens:

    <microsoft.web.services3>
      <security>
    <binarySecurityTokenManager>
      <add
        type="Microsoft.Web.Services3.Security.Tokens.X509SecurityTokenManager, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
       valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
        <keyAlgorithm name="RSAOAEP"/>
      </add>
    </binarySecurityTokenManager>
    <securityTokenManager>
      <add localName="EncryptedKey"
       type="Microsoft.Web.Services3.Security.Tokens.EncryptedKeyTokenManager, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
        namespace="http://www.w3.org/2001/04/xmlenc#">
        <keyAlgorithm name="AES256"/>
      </add>
      <add localName="DerivedKeyToken">
        type="Microsoft.Web.Services3.Security.Tokens.DerivedKeyTokenManager, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
        namespace="http://schemas.xmlsoap.org/ws/2005/02/sc">
        <keyAlgorithm name="AES256"/>
      </add>
      <add localName="SecurityContextToken"
        type="Microsoft.Web.Services3.Security.Tokens.SecurityContextTokenManager, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
        namespace="http://schemas.xmlsoap.org/ws/2005/02/sc">
        <keyAlgorithm name="AES256"/>
      </add>
    </securityTokenManager>
    </security>
    </microsoft.web.services3>

     

    • Published Monday, September 19, 2005 1:06 PM by cibrax
    Filed under:

    Comments

    # re: Default algorithms in WSE 3.0

    Wednesday, September 21, 2005 3:30 PM by Nathan Anderson

    Hi Pablo,

    It looks like the sct namespace posted is wrong. Instead of:

    http://schemas.xmlsoap.org/ws/2005/02/sc/sct">http://schemas.xmlsoap.org/ws/2005/02/sc/sct

    it should be:

    http://schemas.xmlsoap.org/ws/2005/02/sc

    Thanks.

    # re: Default algorithms in WSE 3.0

    Wednesday, September 21, 2005 3:52 PM by Cibra

    ohhh, thank you. I will try with that one.

    # re: Default algorithms in WSE 3.0

    Wednesday, January 31, 2007 5:00 AM by Nicolas Mousson

    Hello Pablo.

    Is there a configuration solution on the server side to accept both RSA15 and RSAOAEP algorithms ?

    Infact, I would like the server be able to accept SOAP messages encrypted with RSA15 OR RSAOAEP (it would automatically choose the correct one to decrypt the message).

    I try this :

    <binarySecurityTokenManager>

     <add

    type="Microsoft.Web.Services3.Security.Tokens.X509SecurityTokenManager, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"

      valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">

       <keyAlgorithm name="RSA15"/>

     </add>

     <add

    type="Microsoft.Web.Services3.Security.Tokens.X509SecurityTokenManager, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"

      valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">

       <keyAlgorithm name="RSAOAEP"/>

     </add>

    </binarySecurityTokenManager>

    The problem here is that WSE 3.0 only use the last algorithm added to the configuration file (RSAOAEP in this case), and doesn't care about the other.

    Also in the document "Patterns and Practices : Scenarios, Patterns, and Implementation Guidance

    for Web Services Enhancements (WSE) 3.0", I saw that some attributes like "priority" or "group" can be added :

     <add

    type="Microsoft.Web.Services3.Security.Tokens.X509SecurityTokenManager, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"

      valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" priority="1" group="0">

       <keyAlgorithm name="RSA15"/>

     </add>

    But I did not find any more documentation for this...

    Leave a Comment

    (required) 
    (required) 
    (optional)
    (required)