hash (digest) of the plaintext in the clear from Amir Herzberg on 2001-09-05 (xml-encryption@w3.org from September 2001)

From: Amir Herzberg <AMIR@newgenpay.com>
Date: Wed, 5 Sep 2001 12:02:09 +0300
To: "Xml Encrypt (E-mail)" <xml-encryption@w3.org>
Message-ID: <078EE8822DCFD411AAA1000629D56ADC0B7EC5@IMP01>

Joseph said, 

...
> Once Don sends text for reverting back to not using 
> DigestMethod/DigestValue 
> in the clear (I hope you saw Schaad's arguments [1]), 
...
> [1] http://www.w3.org/Encryption/2001/Minutes/0720-Redwood/minutes.html

No, I didn't notice the proposal below (I'll blame my vacation...). Sorry!!

I thought the importance of keeping the hash (digest) of the plaintext in
the clear is understood: it allows authentication (signatures or MAC) of
messages including the encrypted data. In fact, signatures (not MAC) should
preferably be computed ONLY on the hashed plaintext and not on the
ciphertext, to allow changing the encryption without invalidating the
signature. I'll gladly explain it in more details if needed. 

When the plaintext contains sufficient randomness (e.g. via nonce),
providing the cryptographic hash of it in the clear should not be a security
problem. 

Has there been a detailed counter proposal or argument? 

Best, Amir Herzberg

> Proposal: DigestMethod/DigestValue Removal, Jim Schaad
> 
> Schaad: believes Herzberg wanted integrity, and something 
> about the plaintext 
> as it was before encryption. For the same reasons that Finney 
> raised earlier 
> about signature over plaintext, Schaad doesn't like plaintext 
> being in the 
> clear, should be encrypted as part of the CipherData; 
> otherwise it allows for 
> guessing of the original text if insufficient randomness exists.
> 
> Group: discussion of earlier approach of having integrity be 
> part of the 
> algorithm URI, people felt this led to too many algorithms 
> identifiers. 
> Present approach not liked for reasons stated.
> 
> Reagle: a poll was taken for Jim?s proposal: 5 supported 
> Jim?s proposal and 2 
> supported the current status. Eastlake suggested the proposal 
> to be further 
> discussion in the list.
> 
> Schaad: Proposed this as an optional element: If one wants 
> integrity checks, 
> then provide a new URI. Action Schaad: send proposal for 
> integrity to list 
> within the week with the necessary changes. Otherwise, need a 
> use case 
> (Herzberg engage Schaad in discussion) of the initial problem 
> was, so we can 
> understand the application where it applies (understanding 
> now that it was 
> wanted to have the digest value outside)
>

Received on Wednesday, 5 September 2001 05:02:35 UTC