W3C home > Mailing lists > Public > xml-encryption@w3.org > February 2001

Re: Signing and Encryption

From: <hal@finney.org>
Date: Thu, 1 Feb 2001 10:01:00 -0800
Message-Id: <200102011801.KAA06631@finney.org>
To: IMAMU@jp.ibm.com, reagle@w3.org
Cc: hal@finney.org, kotok@w3.org, xml-encryption@w3.org
Joseph asks,
> Actually, since Hal brough this up, I've been presuming it's the digest 
> information that "leaks" information about the (now) encrypted content. 
> However, if the hash chosen is a strong one-way hash, what information would 
> this reveal? Or is the "leak" from other data found in the Signature?

The leak is from the digest, and it exists in two forms, one theoretical
and one practical.

The theoretical one is that we have opened up another channel by which
an attacker could get at the encrypted data.  Normally if you have
encrypted data you rely only on the security of the cryptosystem to
protect its privacy.  However, if a hash of the data is also available in
the clear, this offers another, independent, direction for an attacker.
He can either break the encryption, or break the one-way-ness of the hash.
Of course, in practice we believe that the hashes are strong, but still
this causes us to rely on this belief for both authentication *AND* privacy,
while we would prefer to only have authentication depend on the hash.

The second leak, more practical, is that someone could verify a guess at
the contents of the encrypted-and-signed material.  Particularly if the
data is relatively small, or it is of some standard form (a boilerplate
contract with only a few fields having variation), this may be practical
in some circumstances.  In this case the strength of the encryption is
completely defeated by having the hash available.

Hal
Received on Thursday, 1 February 2001 13:02:25 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:31:59 UTC