Skip to main content

Nonce on plain text UsernameToken may still important and may should be used unencrypted in security header ?

Please note these java.net forums are being decommissioned and use the new and improved forums at https://community.oracle.com/community/java.
1 reply [Last post]
andre0815
Offline
Joined: 2008-03-25

Hello,
On http://metro.1045641.n5.nabble.com/How-to-configure-client-for-UsernameT...
is a discussion for Nonce on plain text UsernameToken. Glen Mazza wrotes that Nonce on encrypted transport makes no sence and this might be the reason why metro does not implement it.
.. metro uses Nonce only on digest password profile, which can be used with unencrypted transport..
Here I have a question about reply attacks using the whole soap message. :
..Bad guys can sniff the whole enccrypted message ( SSL or XmlEncryption ) and attack the service with this sniffed data ..
Is this so ?
-> From my point of view a Nonce should be placed unencrypted on every message, so that the service can reject it very fast without encryption overhead on reply attacks.
What is the WS-Security answer to this and what is the answer of metro ?
Regards, Andre, Berlin !

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
andre0815
Offline
Joined: 2008-03-25

I think this is secured via session keys and binary secret.
Secure is Secure, Thanks