- From: Amir Herzberg <AMIR@newgenpay.com>
- Date: Tue, 15 May 2001 10:01:19 +0300
- To: "'Frederick J. Hirsch'" <hirsch@zolera.com>, xml-encryption@w3.org
Fredrick asked, > 1. What advantage is there from the "integrity versions" of > the alorithms, where the SHA1 digest of the > encryption result (and possibly IV) is appended to the > encryption value? I think you misread Donald's text, which said: `Optionally, a message digest of the IV and plain text can be included at the end of and as part of the cipher text on encryption and checked on decryption as indicated by a different algorithm idenitifer. Such an integrity check may not be needed if integrity is assured by a digital signature.` Therefore, the digest is computed over the _plain_text, i.e. the input to the encryption, not its result. Of course, this implies that the plaintext should be properly randomized, just like for the `hash of randomized` that I asked for. In fact, if the HashOfRandomized tag I've asked for is added, than it would obviously provide the necessary integrity as well. The only difference is that by putting it on a separate tag I make it possible (or easier) to define a transform to sign only the hash, not the ciphertext. Best regards, Amir Herzberg CTO, NewGenPay Inc. See demo and lectures/overviews/tutorials on crypto-security for mobile, e-commerce, etc. in http://www.newgenpay.com/mpay/course/course.html
Received on Tuesday, 15 May 2001 02:57:48 UTC