|
|
|
|
|
|
by kevincox
386 days ago
|
|
|
In theory nothing. If you have complete confidentiality you only enough entropy to ensure that the attacker can not guess it. But in practice things get logged, people mess up their DNS and send the request to a different party (potentially after their CDN decrypts it) or some other blunder. With HMAC as long as the recipient is validating properly (which is a whole different can of worms) the worst the attacker can do is replay requests that they have observed. |
|
|