Symmetric key based encryption in WSE 2.0 ( part 1 )

  • Article

In WSE 1.0, symmetric key encryption could be done through decryption key provider.  Moving to WSE 2.0, every security operation has been bound with a security token, including the symmetric key encryption.  There are generally two ways to do a symmetric key encryption, commonly known as share secret encryption in WSE 2.0

Option #1: Use custom security token

If you chose this approach, first you need to decide what your token going to look like over the wire.  It is totally up to you, the developer, to choose what format you are going to use to represent your token over the wire, whether it is a binary security token or an xml security token.  Since both the client and the server know the shared secret, the security token can contain some identifier so that the other end can identify it before recovering the secret.

User basically needs to write their own token, their own token manager and register them on both end.  In the its token manager, it can override LoadTokenFromXml() to reconstruct the key.  Future blog will give a more detailed example.

Option #2: Reuse the SecurityContextToken

In this case, on the client side, one can construct a SCT and set its keybytes by passing the keybytes in one of its constructor

SecurityContextToken sct = new SecurityContextToken(<secret>);

SecurityTokenManager.Cache(sct);  // cache the sct in memory for decrypting the response

On the receiving end, one needs to define his or her own token manager which derives from the built-in SecurityContextTokenManager to provide the secret, which used to be done through DecryptionKeyProvider in WSE 1.0.

public class MySecurityContextTokenManager : SecurityContextTokenManager

{

            public override SecurityToken LoadTokenFromXml(XmlElement element)

            {

                  SecurityToken st = base.LoadTokenFromXml(element);

                                    SecurityContextToken sct = st as SecurityContextToken;

                                    Sct.KeyBytes = <secret>;

                        }

}

Now you need to register this token manager in the configuration file, usually your web.config.  The configuration will look like this

  <microsoft.web.services2>

    <security>

      <securityTokenManager type="MYSCTNamespace.MySecurityContextTokenManager, MySCTDll" xmlns:wssc="https://schemas.xmlsoap.org/ws/2004/04/sc" qname="wssc:SecurityContextToken" />

    </security>

  </microsoft.web.services2>

Of course, don't forget to register the configruation loader for WSE by the following section

<configSections>

    <section name="microsoft.web.services2" type="Microsoft.Web.Services2.Configuration.WebServicesConfiguration, Microsoft.Web.Services2, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

 </configSections>

That is all you need to do.  Now compile and run.

Please keep in mind, this approach can not be used together with WS-SecureConversation feature since it is basically overloading SCT with your symmetric key.  Choose Option #1 if you need to have WS-SecureConversation at the same time. 

Happy coding with WSE!