|
Information Security
< Previous Next >
Clarification on Data Integrity
Ranjit M / Elind Computers Pvt. Ltd.
24 Sep 2002 6:06AM ET Hi,
The Application Note on the Security Protocol says this regarding data integrity :
"If the Null encryption option is selected, then all data is transmitted unencrypted. There is no data integrity protection. If present, Signature Data should be ignored. This option should be selected only during application debugging, or when the FIX session data is being transmitted only on a physically secure network."
Why can't a signature be used without the encryption option being selected, assuming that it is used on a physically secure network?
Regarding signature computation, this is what the document has to say:
"To compute a signature, the DES session key is fed into the MD5 engine as the first 8 bytes. The high order byte (most significant) is fed in first. Next, the unencrypted portion of the FIX header is processed. Then, the DES encrypted portion of the FIX message is fed in. Lastly, the 8 byte DES session key is fed in again (to protect against a message padding attack). Except for the StandardTrailer, the whole message contributes to the message signature."
Does this mean the the header without the SecureDataLen and SecureData fields need to be added and then both SecureDataLen and SecureData fields be added? Is this in the <tag>=<value><SOH> format or ....?
Is computation of signature as detailed in this document the only way to go about or is it upto the discretion of the counterparties?
How relevant is this document today? What other documentation should I refer to regarding data integrity and encryption (DES-ECB)?
Thanks in advance,
Ranjit
Clarification on Data Integrity
Ranjit M / Elind Computers Pvt. Ltd. 24 Sep 2002 6:06AM ET
|
