you have two choices:
1- <param name="action" Value="Signature Encrypt"/>
2- <param name="action" Value="Encrypt Signature"/>
See below for the explanations:
<param name="action" Value="Signature Encrypt"/>
<Header>
<Security>
<Encrypted key> ... </Encrypted key>
<Signature> digest of the element body </Signature>
</Header>
<body>
...encrypted data...
</body>
Problem! People may guess what is the orignial body element, calculate its digest and compare to this one (in the <signature> element).
On the other hand:
<param name="action" Value="Encrypt Signature"/>
<Header>
<Security>
<Signature> digest of the encrypted element body </Signature>
<Encrypted key> ... </Encrypted key>
</Header>
<body>
...encrypted data...
</body>
People may trry to guess the original body element and encrypt it ant then calucalte its digest.
However, during encryption a ramdon element is introduced, so the result of two encryptions will be different,
so this won't work.
Therefore for higher security first encrypt and then sign: -> <param name="action" Value="Encrypt Signature"/>
Hope this helps someone.
José Ferreiro
--
José Ferreiro
EPFL Communication Systems engineer
ing.sys.com.dipl.EPFL
