On Mon, 5 Feb 2007, Aviram Jenik wrote:
On Monday 05 February 2007 13:15, Peter wrote:
certain MUAs
implicitly sign the message by calculating a hash sum over the message and
certain key parameters in it and making it unique to the sending machine
and to the time and network it was sent at/on. By your definition then, ALL
How is hash a digital signature?
A hash is a checksum that has the property of being hard to duplicate
with a different data set (as in, message). F.ex. SHA-1 etc are 'secure'
(past tense) hashes. If the message length is given then it is
extraordinarily hard to come up with a different message of the same
length that has the same hash sum. Therefore knowing the hash sum of a
message (like the md5 sum of a program) essentially certifies that the
program is indeed the same one if its newly computed sum equals the hash
sum. For a message, if a hash sum is computed and stored somewhere
(perhaps in the message itself, but not necessarily - a signature would
be, of course), then the content of the message cannot be tampered with
without changing the sum. Therefore the hash guarantees the message's
integrity. This is a form of anonymous signature. The hash can however
also sign other things, such as a secret known only to the sender. Then
the recipient cannot check the hash without asking the sender for the
secret (which would likely be transferred in some nonobvious form, like
public key encryption etc), but more simply would send just the hash
back and ask whether it is valid. Of course if the request comes from a
third party the sender can decide that the request is spam ... there are
infinite variations on this. Besides the ability to send secret messages
in what appears to be just another signature.
Note that I am not a security expert.
Peter
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
