Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Administer Web Services Security > Administer message-level security for JAX-WS web services > Secure requests to the trust service using system policy sets > Enable secure conversation
Derived key token
After establishing the security context and after the secret have been established (authenticated), derived keys can be used to sign and encrypt the SOAP message to provide message level protection. We can then use derived keys for each key used in the security context.
We can enable WS-SecureConversation by using symmetric keys that are derived from the security token for signing and encrypting the application messages.
Use WS-SecureConversation, the initiator can establish a security context token using the WS-Trust protocol with the recipient. A security context token implies or contains a shared secret. Using a common secret, different key derivations can be defined. Then, using the security context token, the <wsc:DerivedKeyToken> token can be used to derive keys from any security token that has a shared secret, key, or key material. This secret can be used for signing or encrypting messages, but IBM recommends that derived keys be used for signing and encrypting messages that are associated only with the security context.
Syntax for the <wsc:DerivedKeyToken> element
The <wsc:DerivedKeyToken> element is used to indicate that the key for a specific reference is generated from the function so that explicit security tokens, secrets, or key material need not be exchanged as often. The derived key token does not support references to it using key identifiers or key names. All references must use an ID to a wsu:Id attribute or use a URI reference, <wsse:Reference>, to the <wsc:Identifier> element in the security context token.
The syntax for <wsc:DerivedKeyToken> element is as follows:
<wsc:DerivedKeyToken wsu:Id="..."> <wsse:SecurityTokenReference>... </wsse:SecurityTokenReference> <wsc:Label>... </wsc:Label> <wsc:Nonce>... </wsc:Nonce> </wsc:DerivedKeyToken>Derived keys are expressed as security tokens and use different algorithms for deriving keys. The following URI is used to represent the derived key token type:
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dkThe nonce is processed as a binary octet sequence (the value prior to base64 encoding). The nonce seed is required, and must be generated by one or more of the communicating parties. Use separate nonces and have independently generated keys for signing and encrypting for request and response. New keys should be derived for each message, meaning that a previous nonce should not be reused.
Implied derived key generation
Implied derived keys define a shortcut mechanism for referencing certain types of derived keys. Specifically, an @wsc:Nonce attribute can be added to the security token reference (STR) that is defined in the WS-Security specification. When present, an implied derived key indicates that the key is not in the referenced token but, instead, is a key that is derived from the key or secret of the referenced token. It is recommended that you do not use implied derived Keys in the <wsc:DerivedKeyToken> element.
Example
The following example illustrates a message that is sent using two derived keys, one for signing and one for encrypting:
<S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu="..." xmlns:xenc="..." xmlns:wsc="..." xmlns:ds="..."> <S11:Header> <wsse:Security> <wsc:SecurityContextToken wsu:Id="ctx2"> <wsc:Identifier>uuid:...UUID2... </wsc:Identifier> </wsc:SecurityContextToken> <wsc:DerivedKeyToken wsu:Id="dk2"> <wsse:SecurityTokenReference> <wsse:Reference URI="#ctx2"/> </wsse:SecurityTokenReference> <wsc:Nonce>KJHFRE... </wsc:Nonce> </wsc:DerivedKeyToken> <xenc:ReferenceList> ... <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#dk2"/> </wsse:SecurityTokenReference> </ds:KeyInfo> ... </xenc:ReferenceList> <wsc:SecurityContextToken wsu:Id="ctx1"> <wsc:Identifier>uuid:...UUID1... </wsc:Identifier> </wsc:SecurityContextToken> <wsc:DerivedKeyToken wsu:Id="dk1"> <wsse:SecurityTokenReference> <wsse:Reference URI="#ctx1"/> </wsse:SecurityTokenReference> <wsc:Nonce>KJHFRE... </wsc:Nonce> </wsc:DerivedKeyToken> <xenc:ReferenceList> ... <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#dk1"/> </wsse:SecurityTokenReference> </ds:KeyInfo> ... </xenc:ReferenceList> </wsse:Security> ... </S11:Header> <S11:Body> ... </S11:Body> </S11:Envelope>
Web Services Secure Conversation
Security token
Username token
Binary security token
Derived key token
Security context token
Enable secure conversation