Claim-based identity (part#2)

Before diving into the ws-* protocols I mentioned in part#1, is important to review two important concerns about exchanging messages over the net:

  1. How can I be sure that the message I get has not been read or modified along the way?
  2. How can I be sure about who sent a message?

Point (1) can be solved by signing the message and point (2) by encrypting it. In the following paragraphs I will explain this topcis in a simplify way

Note: the following concepts can be applied in several different ways to resolved the mentioned situations.

Message Signing

Let’s suppose that Endpoint A needs to send a message to Endpoint B.

Endpoint A starts by taking the message and applies it a hash function (typically MD5) (step1) and the result of that is encrypted using A’s private key (step 2) obtaining a signature for the message. After that message is ready to be sent along with its signature (step 3). When endpoint B gets the complete message, it starts by separating the message itself from the signature and applies the hash function to the message (step 4) obtaining a hashed message. At the same time B decrypt the signature using A’s public key (step 5) and as a result of the decryption is should get the hashed message. If the result is not same that are to possibilities: the message has been modify or it was sent by someone else other than A.

image

This way, endpoint B can be sure that the message was sent by A and that the message has not been altered.

Message encryption

Now supposed that A needs to send a confidential message to B.

To ensure the message to be read only be B, A encrypts the message using B’s public key (step 1) and then put it on the wire (step 2).  When B gets the message it can decrypt it using its own private key (step 3).

image

By combining these two techniques we can ensure the integrity and confidentially of the message, in other words: only the endpoint know about the data of the message (because is encrypted) and the receiver of the message can be sure about  the recipient and content of the message (because it is signed).

To be continue…

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s