there are several components of my application, needs their communication secure in the sense Origin Verified. these components cannot share a common secret. So I have to opt for asymmetric key encryption. assuming I've two components A and B A sends some data F to B and B has to verify that it really came from A
A generates digest H of F with its private Key
A attaches A_pub, H to its request Parameters, sends F and declares origin/sender as A
B verifies the digest H with the A_pub provided against F
apparently it looks Okay But if some other component V does the same with V_pub and claims itself as A, B still thinks the request came from A as this H is made with V_prv openssl verifies Okay.
I want to give protection against this attack of V
I am using ecparam secp112r1 to minimize key length. and keys are repeatedly changed.
-- EDIT --
A, B and V are application components identified by unique URI. Its currently intended to constraint secure page flow. e.g. you can assume A, B, V be urls What I want is Only A can procced to B and only B can proceed to C .... and I don't want to maintain a global/application wide session for that. so If B can just verify the origin of this link based on the special parameters A have passed to it in a state/session-less manner. and the more generic it can be the more reusable it will be to implement in other scenarios too.
Once I thought to maintain a checksums of A_pub in a trusted global storage. however I am afraid wouldn't that be an over engineering ?
another way comes in my mind is to query back the origin url regarding the public key. However I want to avoid that.
