 |  |  |  |  |
| | | | |
 |  |
An algorithm suite is a coherent collection of cryptographic algorithms for performing operations such as signing, encryption, generating message digests, and so on.
For reference purposes, this section describes the algorithm suites defined by the WS-SecurityPolicy specification. Whether or not a particular algorithm suite is available, however, depends on the underlying security provider. FUSE Services Framework security is based on the pluggable Java Cryptography Extension (JCE) and Java Secure Socket Extension (JSSE) layers. By default, FUSE Services Framework is configured with Sun's JSSE provider, which supports the cipher suites described in Appendix A of Sun's JSSE Reference Guide.
The AlgorithmSuite element has the following syntax:
<sp:AlgorithmSuite xmlns:sp="..." ... >
<wsp:Policy xmlns:wsp="...">
(<sp:Basic256 ... /> |
<sp:Basic192 ... /> |
<sp:Basic128 ... /> |
<sp:TripleDes ... /> |
<sp:Basic256Rsa15 ... /> |
<sp:Basic192Rsa15 ... /> |
<sp:Basic128Rsa15 ... /> |
<sp:TripleDesRsa15 ... /> |
<sp:Basic256Sha256 ... /> |
<sp:Basic192Sha256 ... /> |
<sp:Basic128Sha256 ... /> |
<sp:TripleDesSha256 ... /> |
<sp:Basic256Sha256Rsa15 ... /> |
<sp:Basic192Sha256Rsa15 ... /> |
<sp:Basic128Sha256Rsa15 ... /> |
<sp:TripleDesSha256Rsa15 ... /> |
...)
<sp:InclusiveC14N ... /> ?
<sp:SOAPNormalization10 ... /> ?
<sp:STRTransform10 ... /> ?
(<sp:XPath10 ... /> |
<sp:XPathFilter20 ... /> |
<sp:AbsXPath ... /> |
...)?
...
</wsp:Policy>
...
</sp:AlgorithmSuite>The algorithm suite assertion supports a large number of alternative algorithms (for
example, Basic256). For a detailed description of the algorithm suite
alternatives, see Table 6.4.
Table 6.4 provides a summary of the algorithm suites supported by WS-SecurityPolicy. The column headings refer to different types of cryptographic algorithm, as follows: [Dig] is the digest algorithm; [Enc] is the encryption algorithm; [Sym KW] is the symmetric key-wrap algorithm; [Asym KW] is the asymmetric key-wrap algorithm; [Enc KD] is the encryption key derivation algorithm; [Sig KD] is the signature key derivation algorithm.
Table 6.4. Algorithm Suites
| Algorithm Suite | [Dig] | [Enc] | [Sym KW] | [Asym KW] | [Enc KD] | [Sig KD] |
|---|---|---|---|---|---|---|
Basic256 | Sha1 | Aes256 | KwAes256 | KwRsaOaep | PSha1L256 | PSha1L192 |
Basic192 | Sha1 | Aes192 | KwAes192 | KwRsaOaep | PSha1L192 | PSha1L192 |
Basic128 | Sha1 | Aes128 | KwAes128 | KwRsaOaep | PSha1L128 | PSha1L128 |
TripleDes | Sha1 | TripleDes | KwTripleDes | KwRsaOaep | PSha1L192 | PSha1L192 |
Basic256Rsa15 | Sha1 | Aes256 | KwAes256 | KwRsa15 | PSha1L256 | PSha1L192 |
Basic192Rsa15 | Sha1 | Aes192 | KwAes192 | KwRsa15 | PSha1L192 | PSha1L192 |
Basic128Rsa15 | Sha1 | Aes128 | KwAes128 | KwRsa15 | PSha1L128 | PSha1L128 |
TripleDesRsa15 | Sha1 | TripleDes | KwTripleDes | KwRsa15 | PSha1L192 | PSha1L192 |
Basic256Sha256 | Sha256 | Aes256 | KwAes256 | KwRsaOaep | PSha1L256 | PSha1L192 |
Basic192Sha256 | Sha256 | Aes192 | KwAes192 | KwRsaOaep | PSha1L192 | PSha1L192 |
Basic128Sha256 | Sha256 | Aes128 | KwAes128 | KwRsaOaep | PSha1L128 | PSha1L128 |
TripleDesSha256 | Sha256 | TripleDes | KwTripleDes | KwRsaOaep | PSha1L192 | PSha1L192 |
Basic256Sha256Rsa15 | Sha256 | Aes256 | KwAes256 | KwRsa15 | PSha1L256 | PSha1L192 |
Basic192Sha256Rsa15 | Sha256 | Aes192 | KwAes192 | KwRsa15 | PSha1L192 | PSha1L192 |
Basic128Sha256Rsa15 | Sha256 | Aes128 | KwAes128 | KwRsa15 | PSha1L128 | PSha1L128 |
TripleDesSha256Rsa15 | Sha256 | TripleDes | KwTripleDes | KwRsa15 | PSha1L192 | PSha1L192 |
The following types of cryptographic algorithm are supported by WS-SecurityPolicy:
The symmetric key signature property, [Sym Sig], specifies the algorithm for
generating a signature using a symmetric key. WS-SecurityPolicy specifies that the
HmacSha1 algorithm is always used.
The HmacSha1 algorithm is identified by the following URI:
http://www.w3.org/2000/09/xmldsig#hmac-sha1
The asymmetric key signature property, [Asym Sig], specifies the algorithm for
generating a signature using an asymmetric key. WS-SecurityPolicy specifies that the
RsaSha1 algorithm is always used.
The RsaSha1 algorithm is identified by the following URI:
http://www.w3.org/2000/09/xmldsig#rsa-sha1
The digest property, [Dig], specifies the algorithm used for generating a message
digest value. WS-SecurityPolicy supports two alternative digest algorithms:
Sha1 and Sha256.
The Sha1 algorithm is identified by the following URI:
http://www.w3.org/2000/09/xmldsig#sha1
The Sha256 algorithm is identified by the following URI:
http://www.w3.org/2001/04/xmlenc#sha256
The encryption property, [Enc], specifies the algorithm used for encrypting data.
WS-SecurityPolicy supports the following encryption algorithms: Aes256,
Aes192, Aes128, TripleDes.
The Aes256 algorithm is identified by the following URI:
http://www.w3.org/2001/04/xmlenc#aes256-cbc
The Aes192 algorithm is identified by the following URI:
http://www.w3.org/2001/04/xmlenc#aes192-cbc
The Aes128 algorithm is identified by the following URI:
http://www.w3.org/2001/04/xmlenc#aes128-cbc
The TripleDes algorithm is identified by the following URI:
http://www.w3.org/2001/04/xmlenc#tripledes-cbc
The symmetric key wrap property, [Sym KW], specifies the algorithm used for signing
and encrypting symmetric keys. WS-SecurityPolicy supports the following symmetric key wrap
algorithms: KwAes256, KwAes192, KwAes128,
KwTripleDes.
The KwAes256 algorithm is identified by the following URI:
http://www.w3.org/2001/04/xmlenc#kw-aes256
The KwAes192 algorithm is identified by the following URI:
http://www.w3.org/2001/04/xmlenc#kw-aes192
The KwAes128 algorithm is identified by the following URI:
http://www.w3.org/2001/04/xmlenc#kw-aes128
The KwTripleDes algorithm is identified by the following URI:
http://www.w3.org/2001/04/xmlenc#tripledes-cbc
The asymmetric key wrap property, [Asym KW], specifies the algorithm used for signing
and encrypting asymmetric keys. WS-SecurityPolicy supports the following asymmetric key
wrap algorithms: KwRsaOaep, KwRsa15.
The KwRsaOaep algorithm is identified by the following URI:
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
The KwRsa15 algorithm is identified by the following URI:
http://www.w3.org/2001/04/xmlenc#rsa-1_5
The computed key property, [Comp Key], specifies the algorithm used to compute a
derived key. When secure parties communicate with the aid of a shared secret key (for
example, when using WS-SecureConversation), it is recommended that a derived key is used
instead of the original shared key, in order to avoid exposing too much data for analysis
by hostile third parties. WS-SecurityPolicy specifies that the PSha1
algorithm is always used.
The PSha1 algorithm is identified by the following URI:
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha1
The encryption key derivation property, [Enc KD], specifies the algorithm used to
compute a derived encryption key. WS-SecurityPolicy supports the following encryption key
derivation algorithms: PSha1L256, PSha1L192,
PSha1L128.
The PSha1 algorithm is identified by the following URI (the same
algorithm is used for PSha1L256, PSha1L192, and
PSha1L128; just the key lengths differ):
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha1
The signature key derivation property, [Sig KD], specifies the algorithm used to
compute a derived signature key. WS-SecurityPolicy supports the following signature key
derivation algorithms: PSha1L192, PSha1L128.
Table 6.5 shows the minimum and maximum key lengths supported in WS-SecurityPolicy.
Table 6.5. Key Length Properties
| Property | Key Length |
|---|---|
| Minimum symmetric key length [Min SKL] | 128, 192, 256 |
| Maximum symmetric key length [Max SKL] | 256 |
| Minimum asymmetric key length [Min AKL] | 1024 |
| Maximum asymmetric key length [Max AKL] | 4096 |
The value of the minimum symmetric key length, [Min SKL], depends on which algorithm suite is selected.
| |  | |
 |
