login      my ps      about      contact  



home instructor-led training on-demand screencasts blogs


Kirill's notes » How do I change key wrap and encryption algorithms in WSE2.0?

How do I change key wrap and encryption algorithms in WSE2.0?

Related to my previous blog on WS-Security interop with WebSphere.

Recommended combination of the crypto algorithms is AES256 for symmetric encryption and RSA-OAEP for key-wrap. In Indigo for example, this is the default Algorithm suite used.  WSE2.0 used RSA1.5 + AES128 by default, which will most likely change in WSE3.0.  

However, there isn't a great deal of commonality yet in what defaults different WS-Security toolkits use. Here is how to configure WSE to use other encryption and key-wrap algorithms.

For example, to make WSE to use TripleDes for encryption and/or RSA-OAEP for key transfer, add the following in config:

<microsoft.web.services2>
...
  <security>
   ....
     <binarySecurityTokenManager
          valueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
        <sessionKeyAlgorithm name="TripleDES"/> <!-- add this to switch to TripleDes from default AES128 -->
        <keyAlgorithm name="RSAOAEP"/>          <!-- add this to switch to RSA-OEAP  from default RSA15  -->
     </binarySecurityTokenManager>
  </security>
...
<microsoft.web.services2>

or in code:

ISecurityTokenManager stm = SecurityTokenManager.GetSecurityTokenManagerByTokenType(WSTrust.TokenTypes.X509v3);
stm.DefaultSessionKeyAlgorithm = "TripleDES";
stm.DefaultKeyAlgorithm = "RSAOAEP";

 

Posted Apr 14 2005, 01:02 AM by kirill-gavrylyuk
Filed under:

Comments

Rui Fiske wrote re: How do I change key wrap and encryption algorithms in WSE2.0?
on 08-18-2005 6:57 AM
This is an interesting blog, for an area that needs as much exposure as it can get. Don't give up!

--<-->--<-->--<-->--<-->--<-->--<-->--<-->--

Is there any way with WSE (I'm using SP3), to map an old (or even incorrect) namespace onto a different Token Manager? This would allow SP3 servers to support older WSE clients, without having to upgrade all existing clients.

So, for example, I would like to use the existing Token manager in SP3 to handle tokens of the ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#X509v3". Is this possible at all?

I'm sure that an earlier version of WSE supported this namespace, but it is impossible (I think) to have multiple versions of WSE running on the same machine.

It comes back to versioning, once again, for schemas and interfaces. Is this one of the last great frontiers for XML and interoperability?

Add a Comment

(required)  
(optional)
(required)  
Remember Me?


home instructor-led training online training blogs

781.749.9238 (East Coast) | 310.251.9901 (West Coast) | Pluralsight, LLC , 185 Lincoln St., Suite 305, Hingham, MA 02043-1741

Copyright © 2008 Pluralsight LLC. All rights reserved.

designed by nukeation