[xmlsec] Re: Newbie question on HMAC signature
aleksey at aleksey.com
Wed Oct 13 10:07:02 PDT 2004
If you just want to verify integrity then you don't need
signature. A simple hash will do just fine.
Key name can not compromise security because it is not a key
but a reference to a key. Only the one who has the key can
get it using key name. I think you might want to read some
books about security and cryptography:
I would recommend Bruce Schneier's "Applied Cryptography".
Monica Lau wrote:
> Hi Aleksey,
> >Signing documents with HMAC does not make much sense because
> >both sender and verifier have to have the key in order to be
> >able to sign/verify it. But if you have HMAC key then you can
> >not only verify but also sign. The whole purpose of the signature
> >is to proove that the key owner and only key owner have signed
> >document. And as you can see HMAC algorithm does not work well
> >for this.
> Yes, I agree. So, with HMAC, all we can do is verify the integrity of
> the xml document. We won't be able to verify that it really came from
> the key owner. We should really change to using private/public key as
> this is the purpose of signatures.
> >Now to your question. The key can be specified by key's name
> >in child of element. Then you
> >will need to create key in xmlsec, set the name and add key
> >to keys manager.
> Hmm..., if I specify the key in the <keyname>, wouldn't this compromise
> security? Someone sniffing the network can get a hold of the xml
> document and get a hold of the key. Maybe I'm not understanding HMAC
> correctly: There is a shared secret. The key is derived by hashing a
> shared secret. Does this key change per hash? So, putting this key in
> the xml document is ok because attackers cannot derive our shared secret
> from it. Is this correct? Hence, the receiver does not need to know
> the shared secret, just the key as specified in the <keyname>.
> I've been trying to read some docs on HMAC, but the articles use the
> terms shared secret and shared key interchangely, and I don't believe
> they are the same.
> Do you Yahoo!?
> vote.yahoo.com <http://vote.yahoo.com> - Register online to vote today!
More information about the xmlsec