Good explanation Chamila. Thanks. I guess its better if this was mentioned in the above diagram so anyone can understand how this actually provides security. At least it can be mentioned that there is a handshaking mechanism between client and the server to share a secret symmetric key, prior to sending any payload message. (or is this a step that is *implied *and I am so ignorant that I didn't know that?)
On Tue, Sep 30, 2014 at 9:04 AM, Chamila De Alwis <[email protected]> wrote: > The symmetric key is shared between the trusted parties using the > asymmetric key. The encryption is done with the recipient’s public key, so > it is not possible for someone in the middle to decrypt the symmetric key > information without the server's private key. The server's private key > should be secure of course, that is a key agreement. > > Only when the symmetric key is agreed upon, the payload starts to be > transferred. This sequence can be observed with WireShark (or Charles Proxy > if you want to decrypt the PKI encrypted data) during a SSL handshake. > > > Regards, > Chamila de Alwis > Software Engineer | WSO2 | +94772207163 > Blog: code.chamiladealwis.com > > > > On Tue, Sep 30, 2014 at 8:28 AM, Lahiru Chandima <[email protected]> wrote: > >> Hi Dushan, >> >> I thought the symmetric key used by client is not a pre shared key >> because description says "using a symmetric key *derived by client*", >> which implies that the key is generated at the time the client needs to >> send the message to the server. If the symmetric key is pre shared as you >> describe, there's no problem. >> >> Thanks >> >> On Sat, Sep 27, 2014 at 8:23 AM, Dushan Abeyruwan <[email protected]> >> wrote: >> >>> Hi >>> Read description of again, >>> what it says >>> >>> signed using symmetric key then encrypt using service public key, >>> so server end only way to verify now decrypt message using service private >>> key, and validate signature with symmetric key. >>> >>> Now validating integrity : symmetric key is shared only between to >>> agreed parties, so they store symmetric keys in their respective key >>> stores, and there is almost no chance that intruder can stand in between >>> and generate new symmetric key because, symmetric key is a agreement >>> between client and service, even if some one generate new symmetric key >>> should inform service beforehand (and normally services wont store >>> symmetric keys randomly unless verified and authenticated). >>> >>> Cheers, >>> Dushan >>> >>> On Wed, Sep 24, 2014 at 1:21 PM, Lahiru Chandima <[email protected]> >>> wrote: >>> >>>> Hi All, >>>> >>>> Following is the diagram given by ESB about how it provides integrity >>>> for a service. (Securing a service using basic scenario No. 3) >>>> >>>> [image: Inline image 1] >>>> >>>> >>>> According to the diagram, client uses a generated symmetric key to sign >>>> the message, encrypts the used key using server's public key and sends >>>> along with the message. >>>> >>>> But, I cannot understand how this provides integrity. As I see, someone >>>> can intercept the message sent by the client, alter the message, generate a >>>> new symmetric key, sign the altered message using this key, encrypt the key >>>> using server's public key and send along with the message without a >>>> problem. Since the original message is now altered, there's no integrity. >>>> >>>> Can somebody please explain what I have gotten wrong? >>>> >>>> Thanks >>>> >>>> -- >>>> Lahiru Chandima >>>> *Senior Software Engineer* >>>> Mobile : +94 (0) 772 253283 >>>> [email protected] >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Dushan Abeyruwan | Associate Tech Lead >>> Integration Technologies Team >>> PMC Member Apache Synpase >>> WSO2 Inc. http://wso2.com/ >>> Blog:http://dushansview.blogspot.com/ >>> Mobile:(0094)713942042 >>> >>> >> >> >> -- >> Lahiru Chandima >> *Senior Software Engineer* >> Mobile : +94 (0) 772 253283 >> [email protected] >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > -- Lahiru Chandima *Senior Software Engineer* Mobile : +94 (0) 772 253283 [email protected]
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
