Hi
Read description of again,
what it says
signed using symmetric key then encrypt using service public key, so
server end only way to verify now decrypt message using service private
key, and validate signature with symmetric key.
Now validating integrity : symmetric key is shared only between to agreed
parties, so they store symmetric keys in their respective key stores, and
there is almost no chance that intruder can stand in between and generate
new symmetric key because, symmetric key is a agreement between client and
service, even if some one generate new symmetric key should inform service
beforehand (and normally services wont store symmetric keys randomly unless
verified and authenticated).
Cheers,
Dushan
On Wed, Sep 24, 2014 at 1:21 PM, Lahiru Chandima <[email protected]> wrote:
> Hi All,
>
> Following is the diagram given by ESB about how it provides integrity for
> a service. (Securing a service using basic scenario No. 3)
>
> [image: Inline image 1]
>
>
> According to the diagram, client uses a generated symmetric key to sign
> the message, encrypts the used key using server's public key and sends
> along with the message.
>
> But, I cannot understand how this provides integrity. As I see, someone
> can intercept the message sent by the client, alter the message, generate a
> new symmetric key, sign the altered message using this key, encrypt the key
> using server's public key and send along with the message without a
> problem. Since the original message is now altered, there's no integrity.
>
> Can somebody please explain what I have gotten wrong?
>
> Thanks
>
> --
> Lahiru Chandima
> *Senior Software Engineer*
> Mobile : +94 (0) 772 253283
> [email protected]
>
> _______________________________________________
> Dev mailing list
> [email protected]
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
--
Dushan Abeyruwan | Associate Tech Lead
Integration Technologies Team
PMC Member Apache Synpase
WSO2 Inc. http://wso2.com/
Blog:http://dushansview.blogspot.com/
Mobile:(0094)713942042
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
