The symmetric key is shared between the trusted parties using the asymmetric key. The encryption is done with the recipient’s public key, so it is not possible for someone in the middle to decrypt the symmetric key information without the server's private key. The server's private key should be secure of course, that is a key agreement.
Only when the symmetric key is agreed upon, the payload starts to be transferred. This sequence can be observed with WireShark (or Charles Proxy if you want to decrypt the PKI encrypted data) during a SSL handshake. Regards, Chamila de Alwis Software Engineer | WSO2 | +94772207163 Blog: code.chamiladealwis.com On Tue, Sep 30, 2014 at 8:28 AM, Lahiru Chandima <[email protected]> wrote: > Hi Dushan, > > I thought the symmetric key used by client is not a pre shared key because > description says "using a symmetric key *derived by client*", which > implies that the key is generated at the time the client needs to send the > message to the server. If the symmetric key is pre shared as you describe, > there's no problem. > > Thanks > > On Sat, Sep 27, 2014 at 8:23 AM, Dushan Abeyruwan <[email protected]> wrote: > >> Hi >> Read description of again, >> what it says >> >> signed using symmetric key then encrypt using service public key, so >> server end only way to verify now decrypt message using service private >> key, and validate signature with symmetric key. >> >> Now validating integrity : symmetric key is shared only between to >> agreed parties, so they store symmetric keys in their respective key >> stores, and there is almost no chance that intruder can stand in between >> and generate new symmetric key because, symmetric key is a agreement >> between client and service, even if some one generate new symmetric key >> should inform service beforehand (and normally services wont store >> symmetric keys randomly unless verified and authenticated). >> >> Cheers, >> Dushan >> >> On Wed, Sep 24, 2014 at 1:21 PM, Lahiru Chandima <[email protected]> >> wrote: >> >>> Hi All, >>> >>> Following is the diagram given by ESB about how it provides integrity >>> for a service. (Securing a service using basic scenario No. 3) >>> >>> [image: Inline image 1] >>> >>> >>> According to the diagram, client uses a generated symmetric key to sign >>> the message, encrypts the used key using server's public key and sends >>> along with the message. >>> >>> But, I cannot understand how this provides integrity. As I see, someone >>> can intercept the message sent by the client, alter the message, generate a >>> new symmetric key, sign the altered message using this key, encrypt the key >>> using server's public key and send along with the message without a >>> problem. Since the original message is now altered, there's no integrity. >>> >>> Can somebody please explain what I have gotten wrong? >>> >>> Thanks >>> >>> -- >>> Lahiru Chandima >>> *Senior Software Engineer* >>> Mobile : +94 (0) 772 253283 >>> [email protected] >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Dushan Abeyruwan | Associate Tech Lead >> Integration Technologies Team >> PMC Member Apache Synpase >> WSO2 Inc. http://wso2.com/ >> Blog:http://dushansview.blogspot.com/ >> Mobile:(0094)713942042 >> >> > > > -- > Lahiru Chandima > *Senior Software Engineer* > Mobile : +94 (0) 772 253283 > [email protected] > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
