Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:15:20
Giff (giff@eng.us.uu.net)
Wed, 7 Oct 1998 16:06:16 -0400 (EDT)
On Wed, 7 Oct 1998, bram wrote:
> On Wed, 7 Oct 1998, Frank (Giff) Gifford wrote:
>
> > Your question seems to be more about detecting whether or not a decryption
> > will be correct. One possibility which comes to mind is to append two
> > blocks to the beginning of the file. Let's assume 64 bit blocks. The
> > first is composed of randomly generated data [as random as you like]. The
> > second block is a pattern of WXYZWXYZ, where WXYZ is a random four byte
> > value. Encrypt everything in CBC mode.
>
> That might make it possible for a malicious attacker to garble the rest of
> the file without it being immediately detected. It is slightly better to
> put the verification at the end of the file or make the verification be
> the hash of the file.
There are two things:
1) If one is going to have a test like this going on at all, it would be
better to not have to decrypt the entire 10Meg file just to find out that
the user supplied the wrong key.
2) On reading your suggestion about putting the code at the end, the file
can still be modified and you wouldn't know about it until full decryption
and checking a MAC. Using the pattern I mentioned is more as a 'quick and
dirty check' as to whether the user can decrypt the message. I would
agree that a MAC would also be appropriate. And in looking at it a bit
more, there really isn't a good reason why the WXYZWXYZ _couldn't_ be the
first block...
-Giff
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:15:20