An algorithm suite is a coherent collection of cryptographic algorithms for performing operations such as signing, encryption, generating message digests, and so on.

For reference purposes, this section describes the algorithm suites defined by the
WS-SecurityPolicy specification. Whether or not a particular algorithm suite is available,
however, depends on the underlying security provider. Fuse Services Framework security is based on the
pluggable Java Cryptography Extension (JCE) and Java Secure Socket Extension (JSSE)
layers. By default, Fuse Services Framework is configured with Sun's JSSE provider, which supports the
cipher suites described in Appendix A of Sun's *JSSE Reference Guide*.

The `AlgorithmSuite`

element has the following syntax:

<sp:AlgorithmSuite xmlns:sp="..." ... > <wsp:Policy xmlns:wsp="..."> (<sp:Basic256 ... /> | <sp:Basic192 ... /> | <sp:Basic128 ... /> | <sp:TripleDes ... /> | <sp:Basic256Rsa15 ... /> | <sp:Basic192Rsa15 ... /> | <sp:Basic128Rsa15 ... /> | <sp:TripleDesRsa15 ... /> | <sp:Basic256Sha256 ... /> | <sp:Basic192Sha256 ... /> | <sp:Basic128Sha256 ... /> | <sp:TripleDesSha256 ... /> | <sp:Basic256Sha256Rsa15 ... /> | <sp:Basic192Sha256Rsa15 ... /> | <sp:Basic128Sha256Rsa15 ... /> | <sp:TripleDesSha256Rsa15 ... /> | ...) <sp:InclusiveC14N ... /> ? <sp:SOAPNormalization10 ... /> ? <sp:STRTransform10 ... /> ? (<sp:XPath10 ... /> | <sp:XPathFilter20 ... /> | <sp:AbsXPath ... /> | ...)? ... </wsp:Policy> ... </sp:AlgorithmSuite>

The algorithm suite assertion supports a large number of alternative algorithms (for
example, `Basic256`

). For a detailed description of the algorithm suite
alternatives, see Table 6.

Table 6 provides a summary of the algorithm suites supported by WS-SecurityPolicy. The column headings refer to different types of cryptographic algorithm, as follows: [Dig] is the digest algorithm; [Enc] is the encryption algorithm; [Sym KW] is the symmetric key-wrap algorithm; [Asym KW] is the asymmetric key-wrap algorithm; [Enc KD] is the encryption key derivation algorithm; [Sig KD] is the signature key derivation algorithm.

**Table 6. Algorithm Suites**

Algorithm Suite | [Dig] | [Enc] | [Sym KW] | [Asym KW] | [Enc KD] | [Sig KD] |
---|---|---|---|---|---|---|

`Basic256` | `Sha1` | `Aes256` | `KwAes256` | `KwRsaOaep` | `PSha1L256` | `PSha1L192` |

`Basic192` | `Sha1` | `Aes192` | `KwAes192` | `KwRsaOaep` | `PSha1L192` | `PSha1L192` |

`Basic128` | `Sha1` | `Aes128` | `KwAes128` | `KwRsaOaep` | `PSha1L128` | `PSha1L128` |

`TripleDes` | `Sha1` | `TripleDes` | `KwTripleDes` | `KwRsaOaep` | `PSha1L192` | `PSha1L192` |

`Basic256Rsa15` | `Sha1` | `Aes256` | `KwAes256` | `KwRsa15` | `PSha1L256` | `PSha1L192` |

`Basic192Rsa15` | `Sha1` | `Aes192` | `KwAes192` | `KwRsa15` | `PSha1L192` | `PSha1L192` |

`Basic128Rsa15` | `Sha1` | `Aes128` | `KwAes128` | `KwRsa15` | `PSha1L128` | `PSha1L128` |

`TripleDesRsa15` | `Sha1` | `TripleDes` | `KwTripleDes` | `KwRsa15` | `PSha1L192` | `PSha1L192` |

`Basic256Sha256` | `Sha256` | `Aes256` | `KwAes256` | `KwRsaOaep` | `PSha1L256` | `PSha1L192` |

`Basic192Sha256` | `Sha256` | `Aes192` | `KwAes192` | `KwRsaOaep` | `PSha1L192` | `PSha1L192` |

`Basic128Sha256` | `Sha256` | `Aes128` | `KwAes128` | `KwRsaOaep` | `PSha1L128` | `PSha1L128` |

`TripleDesSha256` | `Sha256` | `TripleDes` | `KwTripleDes` | `KwRsaOaep` | `PSha1L192` | `PSha1L192` |

`Basic256Sha256Rsa15` | `Sha256` | `Aes256` | `KwAes256` | `KwRsa15` | `PSha1L256` | `PSha1L192` |

`Basic192Sha256Rsa15` | `Sha256` | `Aes192` | `KwAes192` | `KwRsa15` | `PSha1L192` | `PSha1L192` |

`Basic128Sha256Rsa15` | `Sha256` | `Aes128` | `KwAes128` | `KwRsa15` | `PSha1L128` | `PSha1L128` |

`TripleDesSha256Rsa15` | `Sha256` | `TripleDes` | `KwTripleDes` | `KwRsa15` | `PSha1L192` | `PSha1L192` |

The following types of cryptographic algorithm are supported by WS-SecurityPolicy:

The symmetric key signature property, [Sym Sig], specifies the algorithm for
generating a signature using a symmetric key. WS-SecurityPolicy specifies that the
`HmacSha1`

algorithm is always used.

The `HmacSha1`

algorithm is identified by the following URI:

http://www.w3.org/2000/09/xmldsig#hmac-sha1

The asymmetric key signature property, [Asym Sig], specifies the algorithm for
generating a signature using an asymmetric key. WS-SecurityPolicy specifies that the
`RsaSha1`

algorithm is always used.

The `RsaSha1`

algorithm is identified by the following URI:

http://www.w3.org/2000/09/xmldsig#rsa-sha1

The digest property, [Dig], specifies the algorithm used for generating a message
digest value. WS-SecurityPolicy supports two alternative digest algorithms:
`Sha1`

and `Sha256`

.

The `Sha1`

algorithm is identified by the following URI:

http://www.w3.org/2000/09/xmldsig#sha1

The `Sha256`

algorithm is identified by the following URI:

http://www.w3.org/2001/04/xmlenc#sha256

The encryption property, [Enc], specifies the algorithm used for encrypting data.
WS-SecurityPolicy supports the following encryption algorithms: `Aes256`

,
`Aes192`

, `Aes128`

, `TripleDes`

.

The `Aes256`

algorithm is identified by the following URI:

http://www.w3.org/2001/04/xmlenc#aes256-cbc

The `Aes192`

algorithm is identified by the following URI:

http://www.w3.org/2001/04/xmlenc#aes192-cbc

The `Aes128`

algorithm is identified by the following URI:

http://www.w3.org/2001/04/xmlenc#aes128-cbc

The `TripleDes`

algorithm is identified by the following URI:

http://www.w3.org/2001/04/xmlenc#tripledes-cbc

The symmetric key wrap property, [Sym KW], specifies the algorithm used for signing
and encrypting symmetric keys. WS-SecurityPolicy supports the following symmetric key wrap
algorithms: `KwAes256`

, `KwAes192`

, `KwAes128`

,
`KwTripleDes`

.

The `KwAes256`

algorithm is identified by the following URI:

http://www.w3.org/2001/04/xmlenc#kw-aes256

The `KwAes192`

algorithm is identified by the following URI:

http://www.w3.org/2001/04/xmlenc#kw-aes192

The `KwAes128`

algorithm is identified by the following URI:

http://www.w3.org/2001/04/xmlenc#kw-aes128

The `KwTripleDes`

algorithm is identified by the following URI:

http://www.w3.org/2001/04/xmlenc#tripledes-cbc

The asymmetric key wrap property, [Asym KW], specifies the algorithm used for signing
and encrypting asymmetric keys. WS-SecurityPolicy supports the following asymmetric key
wrap algorithms: `KwRsaOaep`

, `KwRsa15`

.

The `KwRsaOaep`

algorithm is identified by the following URI:

http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p

The `KwRsa15`

algorithm is identified by the following URI:

http://www.w3.org/2001/04/xmlenc#rsa-1_5

The computed key property, [Comp Key], specifies the algorithm used to compute a
derived key. When secure parties communicate with the aid of a shared secret key (for
example, when using WS-SecureConversation), it is recommended that a derived key is used
instead of the original shared key, in order to avoid exposing too much data for analysis
by hostile third parties. WS-SecurityPolicy specifies that the `PSha1`

algorithm is always used.

The `PSha1`

algorithm is identified by the following URI:

http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha1

The encryption key derivation property, [Enc KD], specifies the algorithm used to
compute a derived encryption key. WS-SecurityPolicy supports the following encryption key
derivation algorithms: `PSha1L256`

, `PSha1L192`

,
`PSha1L128`

.

The `PSha1`

algorithm is identified by the following URI (the same
algorithm is used for `PSha1L256`

, `PSha1L192`

, and
`PSha1L128`

; just the key lengths differ):

http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha1

The signature key derivation property, [Sig KD], specifies the algorithm used to
compute a derived signature key. WS-SecurityPolicy supports the following signature key
derivation algorithms: `PSha1L192`

, `PSha1L128`

.

Table 7 shows the minimum and maximum key lengths supported in WS-SecurityPolicy.

**Table 7. Key Length Properties**

Property | Key Length |
---|---|

Minimum symmetric key length [Min SKL] | 128, 192, 256 |

Maximum symmetric key length [Max SKL] | 256 |

Minimum asymmetric key length [Min AKL] | 1024 |

Maximum asymmetric key length [Max AKL] | 4096 |

The value of the minimum symmetric key length, [Min SKL], depends on which algorithm suite is selected.