[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hash of plaintext as key?

To: John Pettitt <[email protected]>
Subject: Re: Hash of plaintext as key?
From: Bill Stewart <[email protected]>
Date: Fri, 23 Feb 1996 23:38:18 -0800
Cc: [email protected]
Sender: [email protected]

At 09:56 AM 2/22/96 -0800, John Pettitt <[email protected]> wrote:
>I have this application which encrypts software prior to distribution.  I'd
>like to pre-encrypt most of the data (individual files) and then just
>encrypt all the individual file keys with a customer specific key at run
>time.  (This is mostly a CPU cycle saving thing).

Depending on the security environment you're running in, this can be
fine or can be dangerous; think about your threat models carefully.
For some applications, it makes a lot of sense.  It does give you
a traffic analysis problem - Eavesdroppers can tell that you sent the same
document to Alice, Bob, and Eve, but not Fred, in case this matters to you.
You could strengthen it a bit by superencrypting the copy you send to
the user with a very fast Snake-Oil algorithm, but Eve has the real document
(and the version encrypted with the good algorithm), so she's got known
plaintext for cracking messages sent to Alice and Bob if she wants.
In a DES world, you might do almost-triple-DES by encrypting with two common
keys up front and use DES with separate third keys for the final stage.
With RC4 or RC5, that doesn't gain you much, since the difference between
RC4/40 and RC4/256 is all in the key-scheduling phase, not the bulk part.

>I thought I'd use the MD5 (or SHA) hash of the plaintext as the key. Plenty
>of entropy in the entire plaintext, a different key for each file and if you
>know the plaintext to calculate they key you don't need the key anyway!

It doesn't really gain you anything; generating pseudo-random key bits
isn't much work compared to encrypting the files or public-key encrypting
the file keys to send to users, and there's no benefit other than getting some
extra entropy bits (which you may want to do anyway to stir into your
entropy pool in addition to using a random number source.)

What it does risk, in case this threat matters, is that somebody who can guess
the documents you might be encrypting can calculate their MD5s and trial
decrypt.
This lets them verify whether a given document is in the encrypted database,
for instance.

One of the NSA Rainbow Books discusses secure databases - maybe Purple or Gray?

#--
#				Thanks;  Bill
# Bill Stewart, [email protected] / [email protected] +1-415-442-2215
# http://www.idiom.com/~wcs     Pager +1-408-787-1281

Prev by Date: Re: Internet Privacy Guaranteed ad (POTP Jr.)
Next by Date: Re: "E-Money" is trademarked
Prev by thread: Anonymous access to certificate revocation lists?
Next by thread: SET spec available
Index(es):
- Date
- Thread