[openstack-dev] [nova][keystone] Message Queue Security

Eric Windisch eric at cloudscaling.com
Fri Apr 26 20:23:00 UTC 2013

> HMAC(metadata, Ea(SEK, Eb(SEK)))

The problem is that Eb(SEK) isn't signed. You sign Ea(), but you can't send that to B, because B can't decrypt it. Thus, you're only sending Eb(SEK).

When B receives Eb(SEK), it cannot validate it.  You would need to receive from the keyserver:

Sa(metadata, Ea(SEK, Sb(Eb(SEK))))

Then, you can send to B:  Sb(Eb(SEK)))

Eric Windisch

More information about the OpenStack-dev mailing list