- From: <hal@finney.org>
- Date: Thu, 1 Feb 2001 10:52:53 -0800
- To: hal@finney.org, reagle@w3.org
- Cc: IMAMU@jp.ibm.com, kotok@w3.org, xml-encryption@w3.org
Joseph writes: > At 10:01 2/1/2001 -0800, hal@finney.org wrote: > >The second leak, more practical, is that someone could verify a guess at > >the contents of the encrypted-and-signed material. Particularly if the > >data is relatively small, or it is of some standard form (a boilerplate > >contract with only a few fields having variation), this may be practical > >in some circumstances. In this case the strength of the encryption is > >completely defeated by having the hash available. > > Is this because the search over messages yielding the hash of the plaintext > is faster than the search over the messages yielding the ciphertext? You can't search over the messages yielding the ciphertext! This is very important and often forgotten. Knowing the plaintext will NOT tell you the ciphertext unless you also know the KEY! It is the key which provides the security in a symmetric cipher. With AES and other modern ciphers with keys of 128 bits and up it is essentially impossible to search and find the key. Without knowing the key, even a successful guess at the plaintext CANNOT be verified. However this is not true of the signature hash; guesses at the input to the hash can be checked, as there is nothing corresponding to a key. Hal
Received on Thursday, 1 February 2001 13:54:10 UTC