[xmlsec] Re: Newbie question on HMAC signature

Aleksey Sanin aleksey at aleksey.com
Wed Oct 13 10:07:02 PDT 2004

If you just want to verify integrity then you don't need
signature. A simple hash will do just fine.

Key name can not compromise security because it is not a key
but a reference to a key. Only the one who has the key can
get it using key name.  I think you might want to read some
books about security and cryptography:
I would recommend Bruce Schneier's "Applied Cryptography".


Monica Lau wrote:
> Hi Aleksey,
>  >Signing documents with HMAC does not make much sense because
>  >both sender and verifier have to have the key in order to be
>  >able to sign/verify it. But if you have HMAC key then you can
>  >not only verify but also sign. The whole purpose of the signature
>  >is to proove that the key owner and only key owner have signed
>  >document. And as you can see HMAC algorithm does not work well
>  >for this.
> Yes, I agree.  So, with HMAC, all we can do is verify the integrity of 
> the xml document.  We won't be able to verify that it really came from 
> the key owner.  We should really change to using private/public key as 
> this is the purpose of signatures.
>  >Now to your question. The key can be specified by key's name
>  >in child of element. Then you
>  >will need to create key in xmlsec, set the name and add key
>  >to keys manager.
> Hmm..., if I specify the key in the <keyname>, wouldn't this compromise 
> security?  Someone sniffing the network can get a hold of the xml 
> document and get a hold of the key.  Maybe I'm not understanding HMAC 
> correctly:  There is a shared secret.  The key is derived by hashing a 
> shared secret.  Does this key change per hash?  So, putting this key in 
> the xml document is ok because attackers cannot derive our shared secret 
> from it.  Is this correct?  Hence, the receiver does not need to know 
> the shared secret, just the key as specified in the <keyname>.
> I've been trying to read some docs on HMAC, but the articles use the 
> terms shared secret and shared key interchangely, and I don't believe 
> they are the same.
> Thanks,
> Monica
> ------------------------------------------------------------------------
> Do you Yahoo!?
> vote.yahoo.com <http://vote.yahoo.com> - Register online to vote today!

More information about the xmlsec mailing list