Hi Dushan, I thought the symmetric key used by client is not a pre shared key because description says "using a symmetric key *derived by client*", which implies that the key is generated at the time the client needs to send the message to the server. If the symmetric key is pre shared as you describe, there's no problem.
Thanks On Sat, Sep 27, 2014 at 8:23 AM, Dushan Abeyruwan <[email protected]> wrote: > Hi > Read description of again, > what it says > > signed using symmetric key then encrypt using service public key, so > server end only way to verify now decrypt message using service private > key, and validate signature with symmetric key. > > Now validating integrity : symmetric key is shared only between to > agreed parties, so they store symmetric keys in their respective key > stores, and there is almost no chance that intruder can stand in between > and generate new symmetric key because, symmetric key is a agreement > between client and service, even if some one generate new symmetric key > should inform service beforehand (and normally services wont store > symmetric keys randomly unless verified and authenticated). > > Cheers, > Dushan > > On Wed, Sep 24, 2014 at 1:21 PM, Lahiru Chandima <[email protected]> wrote: > >> Hi All, >> >> Following is the diagram given by ESB about how it provides integrity for >> a service. (Securing a service using basic scenario No. 3) >> >> [image: Inline image 1] >> >> >> According to the diagram, client uses a generated symmetric key to sign >> the message, encrypts the used key using server's public key and sends >> along with the message. >> >> But, I cannot understand how this provides integrity. As I see, someone >> can intercept the message sent by the client, alter the message, generate a >> new symmetric key, sign the altered message using this key, encrypt the key >> using server's public key and send along with the message without a >> problem. Since the original message is now altered, there's no integrity. >> >> Can somebody please explain what I have gotten wrong? >> >> Thanks >> >> -- >> Lahiru Chandima >> *Senior Software Engineer* >> Mobile : +94 (0) 772 253283 >> [email protected] >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Dushan Abeyruwan | Associate Tech Lead > Integration Technologies Team > PMC Member Apache Synpase > WSO2 Inc. http://wso2.com/ > Blog:http://dushansview.blogspot.com/ > Mobile:(0094)713942042 > > -- Lahiru Chandima *Senior Software Engineer* Mobile : +94 (0) 772 253283 [email protected]
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
