openssl hmac hashicorp-vault: Updated Sun, 22 May 2022 04:47:27 GMT

Is there value to signing microservice calls with an HMAC derived from the same private key?

I had a friend say:

We're securing our microservice with an HMAC derived from the private key in the jks file. [Where client and server shared the same private key]

I can understand the situation where you have an HMAC from a secret that is short lived - such as one derived from Hashicorp Vault.

But if the HMAC has the same lifetime as the private keys - why not just secure the microservice using SSL based on the private keys you've already installed?

My question is: Is there value to signing microservice calls with an HMAC derived from the same private key?

Solution

If client and server share the same private key, private key basically turns into as a symmetric secret, thus nullifying any use-case relevant for SSL, or, FWIW, any signing scheme.

It's basically integrity without authenticity.

External Links

External links referenced by this document:

References

https://security.stackexchange.com/questions/154676