[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wss4j-dev
Subject:    AW: key size and algorithm choices...
From:       "Dittmann, Werner" <werner.dittmann () siemens ! com>
Date:       2005-10-18 6:19:54
Message-ID: A5B453A80186CF47BDA33BBA924EFAE90ACCFE () MCHP7I5A ! ww002 ! siemens ! net
[Download RAW message or body]

Ron,

because you are talking about a keypar I assume you would
like to use public key encryption?

In that case the minimum key size IMHO is 512 bit strength
RSA. However, using only 512bit RSA puts constraints on the
size of data you can encrypt (max. 64 Byte). This may not be
enough to e.g. wrap a session key using RSAOAEP mode, thus I 
recommend to use 1024bit RSA. In any case, using public key
algorithms add time, as security does in general.

Regards,
Werner

> -----Ursprüngliche Nachricht-----
> Von: Ron Reynolds [mailto:Ron@RonReynolds.com] 
> Gesendet: Dienstag, 18. Oktober 2005 02:12
> An: wss4j-dev@ws.apache.org
> Betreff: key size and algorithm choices...
> 
> 
> (repost from axis-users@ per dims' suggestion)
> 
> i'm working on adding signatures to my ws requests and want 
> to issue a unique key pair to each
> approved client application.  since i want the overhead of 
> security to be insignificant compared
> to the overhead of the requested method (i.e., i don't want 
> the addition of security to be a
> serious performance hit compared to the system without 
> security) is there an accepted
> algorithm/key-size pair that works well?  this is (currently) 
> an in-house app to a resource
> management system so i'm not too worried about the ficticious 
> "black-hat" with a Cray and
> 75 years to try to crack the message - in fact i could 
> probably get by with a MD5 xor with the
> client's id to do the trick, but i would like to leverage 
> what basic security xml-sig gives
> to give some assurance to my bosses that not just anybody can 
> send messages to the service.
> 
> options/experiences folks have had with finding the 
> equilibrium point between security and
> performance with ws-security would be greatly appreciated. :)
> 
> oh, while on the topic of ws security - in this case the 
> client application is acting on the
> part of a user and my thought was to pass all 3 pieces of 
> info (user's staff-id, client's
> app-id, and client's message-sig value) as headers (i.e., not 
> have to declare them as part
> of the WS interface).  has anyone done this with wss4j?  if 
> so could you send a sample of your
> server- and client-config.wsdd files?  i'm not sure if i need 
> 2 WSDoAllSenders or 3 - ditto
> with the WSDoAllReceivers.  and i'm sure i'll have questions 
> when i get to working out the
> crypto.properties files but that's for a later email. :)  
> also are there any good sites out
> there other than the deployment tutorial and deployment 
> examples on using wss4j?
> 
> thanks. :)
> .............ron.
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]