9613Re: [soapbuilders] Re: Super-Encryption AND Digital Signatures
- Dec 1, 2003
> If it is modified in transit, would it not fail to decrypt from theBut if it's typical XML-Encryption, then anyone can create new fake
> receiver's pov.
content. Data is encrypted with a bulk key (3DES or AES), and that
session key is encrypted with the reciever's public key, so only the
receiver can get the key and do the bulk decrypt. But since it's a
public key, anyone can generate content.
> With the caveat that WS-Security is used toBut the Sender's keys do not normally enter into encryption at all.
> identity the sender and thus obtain the sender's public key. (Replay
> attacks excluded via wsu:Nonce).
How are you planning on super-encrypting? Super-encryption typically
means its encrypted twice. The goal is to make it harder for the adversary
to get to the plaintext -- they have twice as many keys to crack, and
getting that first one doesn't give them plaintext, it only gives them
hihg-entropy encrypted text, that they THEN need to crack to get the
Super-encryption doesn't make it hard to generate bogus content, and it
does nothing to verify the source of the content. Unless you're doing
something I'm missing, which is quite possible. So, how are you
doing to do this?
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
- << Previous post in topic Next post in topic >>