对称的游行证明密钥 [英] Symmetric proof-of-procession key

问题描述

我有客户。它使用X509证书调用STS进行身份验证，并且还调用NegotiateServiceCredential = true。我注意到"RequestedProofToken"在TLS协商期间，在RequestSecurityTokenResponse中从STS返回到客户端。

该证明令牌是否与STS发出的SamlSubjectConfirmation的证明令牌相同？

是否为每个请求生成了一个新的不同的证明令牌？

当客户端调用RP时，使用派生密钥对soap标头和正文进行签名和加密。哪些密钥是派生自哪些派生密钥？导出密钥的算法是什么？

感谢，
苏·

解决方案

证明TLS协商期间的令牌与STS发出的令牌中的令牌不同。
为每个请求生成不同的证明令牌（通常通过组合客户端和服务器熵）。派生的密钥算法是PSHA1

I have Client. It calls STS using it X509 cert to authenticate, and also NegotiateServiceCredential = true. I noticed that "RequestedProofToken" is returned from STS to client in RequestSecurityTokenResponse during TLS negotiation.

Is this Proof Token the same Proof Token of the SamlSubjectConfirmation issued by STS?

Is a new different Proof Token generated for each request?

When the Client calls the RP, soap header and body are signed and encrypted using derived keys.  Which key are those derived keys derived from? What algorithm is used to derive keys?

thanks,
Sue

解决方案

The proof token during TLS negotiation is different from the one in the token issued from the STS.
A different proof token is generated for each request (typically by combining client and server entropies)
The derived keys algo is PSHA1

这篇关于对称的游行证明密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！