In article <87r6x57jau.fsf@[EMAIL PROTECTED]
>, Hagen Ladwig wrote:
> soneill@[EMAIL PROTECTED]
writes:
>
> Do I understand you right? You assume that there could exist a second
key that
> would decrypt a message encrypted with another key into meaningful
content?
> Ok, nothing is impossible, but this comes pretty close. If you had a
single
> charcter encrypted, you couldn't tell which decryption was right. But
the
> longer the encrypted message gets the less likey you find a second key
that
> could result in a possible message.
If I understood the original poster correctly, he was asking how you can
know
you have a correct decrypt when the "plaintext" can be any kind of binary
sequence, not just text characters. The matter of getting meaningful
decryption from a different key doesn't enter into it. My contention is
that,
in the general case, without some auxilliary information, there isn't any
way
to know if the decrypt is correct.
>
> In that respect hash functions wouldn't help, cause they always have
> collisions. But to exploit that, you first needed to find a collision
and then
> you would have to find a meaningful message that gave you the collision.
AFAIK, finding any collisions is not especially easy with currently used
ha****ng algorithms; the probability of creating a sensible message that
gives
the required collision in a particular case strikes me as vani****ngly
small.
OTOH, I'm no expert on the state of collision detection theory, so it
might be
easier than I think.
>
> In short, if you use digital signatures for example, they don't confirm
100%
> that you signed the do***ent, but with an error possibility of 10^-30 (I
don't
> know to what parameters and system this would correspond, it is just a
very,
> very small number).
With a limited number of bits in the output hash, there will always be an
infinite number of messages that can give the same hash. Using a hash to
authenticate a message relies on the likelyhood that the value generated
by a
specific message could only be duplicated by a string that is of much
greater
length than a "real" message, for some value of "length", so that the hash
rececived with what pur****ts to be an authentic message is the correct
validator for that message. I believe that an alogrithm like MD5, for
example, which produces a 128-bit hash, is guaranteed not to produce any
collisions for strings up to 2^64 bits in length. If the messages
produced by
your system are shorter than that, then the MD5 hash value accompanying a
message can almost certainly be accepted as the correct validator for that
message.
SJO
|
