Hi Lahiru, When it comes to public key and private key cryptography it is asymmetric key cryptography. After the client encrypts a symmetric key if it was intercepted by a third party there is no way to decrypt it without the servers public key and hence the content cannot be accessed and altered anyway. I believed this is where the security is provided so that the integrity of the message is protected. The symmetric key is not shared by a handshake as I understand by the diagram, it is shared with the message protected by asymmetric key cryptography.
On Tue, Sep 30, 2014 at 9:22 AM, Lahiru Chandima <[email protected]> wrote: > Good explanation Chamila. Thanks. > > I guess its better if this was mentioned in the above diagram so anyone > can understand how this actually provides security. At least it can be > mentioned that there is a handshaking mechanism between client and the > server to share a secret symmetric key, prior to sending any payload > message. (or is this a step that is *implied *and I am so ignorant that I > didn't know that?) > > > On Tue, Sep 30, 2014 at 9:04 AM, Chamila De Alwis <[email protected]> > wrote: > >> The symmetric key is shared between the trusted parties using the >> asymmetric key. The encryption is done with the recipient’s public key, so >> it is not possible for someone in the middle to decrypt the symmetric key >> information without the server's private key. The server's private key >> should be secure of course, that is a key agreement. >> >> Only when the symmetric key is agreed upon, the payload starts to be >> transferred. This sequence can be observed with WireShark (or Charles Proxy >> if you want to decrypt the PKI encrypted data) during a SSL handshake. >> >> >> Regards, >> Chamila de Alwis >> Software Engineer | WSO2 | +94772207163 >> Blog: code.chamiladealwis.com >> >> >> >> On Tue, Sep 30, 2014 at 8:28 AM, Lahiru Chandima <[email protected]> >> wrote: >> >>> Hi Dushan, >>> >>> I thought the symmetric key used by client is not a pre shared key >>> because description says "using a symmetric key *derived by client*", >>> which implies that the key is generated at the time the client needs to >>> send the message to the server. If the symmetric key is pre shared as you >>> describe, there's no problem. >>> >>> Thanks >>> >>> On Sat, Sep 27, 2014 at 8:23 AM, Dushan Abeyruwan <[email protected]> >>> wrote: >>> >>>> Hi >>>> Read description of again, >>>> what it says >>>> >>>> signed using symmetric key then encrypt using service public key, >>>> so server end only way to verify now decrypt message using service private >>>> key, and validate signature with symmetric key. >>>> >>>> Now validating integrity : symmetric key is shared only between to >>>> agreed parties, so they store symmetric keys in their respective key >>>> stores, and there is almost no chance that intruder can stand in between >>>> and generate new symmetric key because, symmetric key is a agreement >>>> between client and service, even if some one generate new symmetric key >>>> should inform service beforehand (and normally services wont store >>>> symmetric keys randomly unless verified and authenticated). >>>> >>>> Cheers, >>>> Dushan >>>> >>>> On Wed, Sep 24, 2014 at 1:21 PM, Lahiru Chandima <[email protected]> >>>> wrote: >>>> >>>>> Hi All, >>>>> >>>>> Following is the diagram given by ESB about how it provides integrity >>>>> for a service. (Securing a service using basic scenario No. 3) >>>>> >>>>> [image: Inline image 1] >>>>> >>>>> >>>>> According to the diagram, client uses a generated symmetric key to >>>>> sign the message, encrypts the used key using server's public key and >>>>> sends >>>>> along with the message. >>>>> >>>>> But, I cannot understand how this provides integrity. As I see, >>>>> someone can intercept the message sent by the client, alter the message, >>>>> generate a new symmetric key, sign the altered message using this key, >>>>> encrypt the key using server's public key and send along with the message >>>>> without a problem. Since the original message is now altered, there's no >>>>> integrity. >>>>> >>>>> Can somebody please explain what I have gotten wrong? >>>>> >>>>> Thanks >>>>> >>>>> -- >>>>> Lahiru Chandima >>>>> *Senior Software Engineer* >>>>> Mobile : +94 (0) 772 253283 >>>>> [email protected] >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> [email protected] >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> Dushan Abeyruwan | Associate Tech Lead >>>> Integration Technologies Team >>>> PMC Member Apache Synpase >>>> WSO2 Inc. http://wso2.com/ >>>> Blog:http://dushansview.blogspot.com/ >>>> Mobile:(0094)713942042 >>>> >>>> >>> >>> >>> -- >>> Lahiru Chandima >>> *Senior Software Engineer* >>> Mobile : +94 (0) 772 253283 >>> [email protected] >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> > > > -- > Lahiru Chandima > *Senior Software Engineer* > Mobile : +94 (0) 772 253283 > [email protected] > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Darshana Akalanka Pagoda Arachchi,* *Software Engineer* *078-4721791*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
