24 lines
1.8 KiB
HTML
24 lines
1.8 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<html>
|
|
<head>
|
|
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
|
|
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
|
|
|
|
<title>Nonce</title>
|
|
</head>
|
|
|
|
<BODY>
|
|
<!-- Java sync-link -->
|
|
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
|
|
|
|
<h6><a name="wssecnonce"></a>Nonce</h6>
|
|
|
|
<p>A <strong>nonce</strong> is a randomly generated, cryptographic token that is used to thwart the highjacking of username tokens that are used with SOAP messages. Nonces are used in conjunction with the BasicAuth authentication method for WebSphere Application Server - Express Web services.</p>
|
|
|
|
<p>Without nonces, when a username token is passed from one machine to another machine using a non-secure transport, such as HTTP, the token may be intercepted and used in a replay attack. The same key may be reused when the username token is transmitted between the client and the server, which leaves it vulnerable to attack. The username token can be high-jacked even if you use XML digital signature and XML encryption.</p>
|
|
|
|
<p>To help eliminate these replay attacks, the <wsse:Nonce> and <wsu:Created> elements are generated within the <wsee:usernameToken> element and are used to validate the message. The request receiver or response receiver checks the freshness of the message to verify that difference between when the message is created and the current time falls within a specified time period. Also, WebSphere Application Server - Express verifies that the token has not been processed already by the receiver within the specified time period. These two features are used to lessen the chance that a username token is used for a replay attack.</p>
|
|
|
|
</body>
|
|
</html>
|