Re: Signing and Encryption from Alan Kotok on 2001-02-01 (xml-encryption@w3.org from February 2001)

From: Alan Kotok <kotok@w3.org>
Date: Thu, 01 Feb 2001 17:06:11 -0500
To: hal@finney.org
Cc: IMAMU@jp.ibm.com, reagle@w3.org, hal@finney.org, xml-encryption@w3.org
Message-Id: <5.0.2.1.2.20010201170316.021647b0@localhost>

Hal,

Thank you for the explanation.  I confess that I am much more impressed 
with the second argument than the first.  If people can crack the hash 
function used for digital signatures, then I don't think the public would 
understand that some other pieces of the "cryptography pie" may still be 
secure.  And trust that this stuff ALL works is the name of the game.

Alan

At 01:01 PM 2/1/2001, hal@finney.org wrote:
>Joseph asks,
> > Actually, since Hal brough this up, I've been presuming it's the digest
> > information that "leaks" information about the (now) encrypted content.
> > However, if the hash chosen is a strong one-way hash, what information 
> would
> > this reveal? Or is the "leak" from other data found in the Signature?
>
>The leak is from the digest, and it exists in two forms, one theoretical
>and one practical.
>
>The theoretical one is that we have opened up another channel by which
>an attacker could get at the encrypted data.  Normally if you have
>encrypted data you rely only on the security of the cryptosystem to
>protect its privacy.  However, if a hash of the data is also available in
>the clear, this offers another, independent, direction for an attacker.
>He can either break the encryption, or break the one-way-ness of the hash.
>Of course, in practice we believe that the hashes are strong, but still
>this causes us to rely on this belief for both authentication *AND* privacy,
>while we would prefer to only have authentication depend on the hash.
>
>The second leak, more practical, is that someone could verify a guess at
>the contents of the encrypted-and-signed material.  Particularly if the
>data is relatively small, or it is of some standard form (a boilerplate
>contract with only a few fields having variation), this may be practical
>in some circumstances.  In this case the strength of the encryption is
>completely defeated by having the hash available.
>
>Hal

-- 
Alan Kotok, Associate Chairman                          mailto:kotok@w3.org
World Wide Web Consortium                                 http://www.w3.org
MIT Laboratory for Computer Science,  200 Technology Square,  Room NE43-364
Cambridge, MA 02139, USA     Voice: +1-617-258-5728    Fax: +1-617-258-5999

Received on Thursday, 1 February 2001 17:08:00 UTC