W3C home > Mailing lists > Public > xml-encryption@w3.org > February 2001

Re: Signing and Encryption

From: <hal@finney.org>
Date: Thu, 1 Feb 2001 10:52:53 -0800
Message-Id: <200102011852.KAA06834@finney.org>
To: hal@finney.org, reagle@w3.org
Cc: IMAMU@jp.ibm.com, kotok@w3.org, xml-encryption@w3.org
Joseph writes:
> At 10:01 2/1/2001 -0800, hal@finney.org wrote:
> >The second leak, more practical, is that someone could verify a guess at
> >the contents of the encrypted-and-signed material.  Particularly if the
> >data is relatively small, or it is of some standard form (a boilerplate
> >contract with only a few fields having variation), this may be practical
> >in some circumstances.  In this case the strength of the encryption is
> >completely defeated by having the hash available.
>
> Is this because the search over messages yielding the hash of the plaintext 
> is faster than the search over the messages yielding the ciphertext?

You can't search over the messages yielding the ciphertext!  This is very
important and often forgotten.  Knowing the plaintext will NOT tell you
the ciphertext unless you also know the KEY!

It is the key which provides the security in a symmetric cipher.  With AES
and other modern ciphers with keys of 128 bits and up it is essentially
impossible to search and find the key.  Without knowing the key, even
a successful guess at the plaintext CANNOT be verified.

However this is not true of the signature hash; guesses at the input to
the hash can be checked, as there is nothing corresponding to a key.

Hal
Received on Thursday, 1 February 2001 13:54:10 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:31:59 UTC