W3C home > Mailing lists > Public > xml-encryption@w3.org > March 2001

Re: Signing encrypted data

From: <hal@finney.org>
Date: Tue, 20 Mar 2001 10:12:03 -0800
Message-Id: <200103201812.KAA12408@finney.org>
To: AMIR@newgenpay.com, xml-encryption@w3.org
Amir Herzberg writes:
> The `standard` solution for signing secret data is to include a random
> `salt` field in the signed data. This puts only the hash of the content
> together with the random `salt` in public domain, and therefore prevents
> guessing attacks. This is cleaner and more efficient than encrypting the
> signature block

Salt only stops dictionary attacks, where someone wants to test a single
plaintext against millions of hashed messages.  It does not stop guessing
attacks, where someone wants to verify whether a particular plaintext
is what is hashed/signed.  Given that the salt is public, anyone can hash
the salt with the guessed plaintext and see if the signature verifies.

> Furthermore and more important, it allows using a signature
> containing encrypted objects to be validated by agents which do not have
> access to the decryption key, which is required by some (many?) applications
> (e.g. secure payments...). 

I suspect that we are miscommunicating, because I don't see how you could
expect any agents to verify a signature if they lack the decryption key.
The signature is on the plaintext.  Without the decryption key, these
agents can't recover the plaintext, and therefore they can't verify
the signature.

Of course you can sign AFTER encrypting; that has never been a security
issue.  The only question in that case is to design data structures
that allow you to indicate whether the signature is on the ciphertext
or the plaintext.  But if that is all you want to do, there is no need
for salt and no need to encrypt the signature.

The issue arises when you sign BEFORE encrypting, but want to leave the
signature in the clear.  This is a security issue and allows guessing
of plaintext.  That is the problem I was raising, and salt is of no
value then.

Hal Finney
Received on Tuesday, 20 March 2001 13:15:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:42:18 GMT