[openstack-dev] [nova][keystone] Message Queue Security

Eric Windisch eric at cloudscaling.com
Fri Apr 26 20:23:00 UTC 2013


> 
> HMAC(metadata, Ea(SEK, Eb(SEK)))
> 

The problem is that Eb(SEK) isn't signed. You sign Ea(), but you can't send that to B, because B can't decrypt it. Thus, you're only sending Eb(SEK).

When B receives Eb(SEK), it cannot validate it.  You would need to receive from the keyserver:

Sa(metadata, Ea(SEK, Sb(Eb(SEK))))

Then, you can send to B:  Sb(Eb(SEK)))

Regards,
Eric Windisch






More information about the OpenStack-dev mailing list