If application A and application B share a shared key for encryption then one of the applications could hand a "token" (perhaps a Guid) to the other both encrypted with the shared key and also outright unencrypted at the same time. The receiving party could then encrypt the unencrypted token with the shared key and validate its legitimacy based upon if it matches the encrypted token. In these circumstances there is of course the risk that the key becomes compromised (leaked) and it also would be wise if only two parties shared the same key regardless which is to say that if application A dreamt up the key to begin with and handed it to application B that application A should not give the name key to application C as well.
No comments:
Post a Comment