- From: <hal@finney.org>
- Date: Thu, 1 Feb 2001 10:01:00 -0800
- To: IMAMU@jp.ibm.com, reagle@w3.org
- Cc: hal@finney.org, kotok@w3.org, xml-encryption@w3.org
Joseph asks, > Actually, since Hal brough this up, I've been presuming it's the digest > information that "leaks" information about the (now) encrypted content. > However, if the hash chosen is a strong one-way hash, what information would > this reveal? Or is the "leak" from other data found in the Signature? The leak is from the digest, and it exists in two forms, one theoretical and one practical. The theoretical one is that we have opened up another channel by which an attacker could get at the encrypted data. Normally if you have encrypted data you rely only on the security of the cryptosystem to protect its privacy. However, if a hash of the data is also available in the clear, this offers another, independent, direction for an attacker. He can either break the encryption, or break the one-way-ness of the hash. Of course, in practice we believe that the hashes are strong, but still this causes us to rely on this belief for both authentication *AND* privacy, while we would prefer to only have authentication depend on the hash. The second leak, more practical, is that someone could verify a guess at the contents of the encrypted-and-signed material. Particularly if the data is relatively small, or it is of some standard form (a boilerplate contract with only a few fields having variation), this may be practical in some circumstances. In this case the strength of the encryption is completely defeated by having the hash available. Hal
Received on Thursday, 1 February 2001 13:02:25 UTC