On 26/04/12 13:27 PM, Marsh Ray wrote:
On 04/25/2012 10:11 PM, Zooko Wilcox-O'Hearn wrote:
It goes like this: suppose you
want to ensure the integrity of a chunk of data. There are at least
two ways to do this (excluding public key digital signatures):
1. the secret-oriented way: you make a MAC tag of the chunk (or
equivalently you use Authenticated Encryption on it) using a secret
key known to the good guy(s) and unknown to the attacker(s).
2. the verifier-oriented way: you make a secure hash of the chunk, and
make the resulting hash value known to the good guy(s) in an
authenticated way.
Is option 2 sort of just pushing the problem around?
What's going on under the hood in the term "in an authenticated way"?
No, it's more like ... is there a hood? Are we authenticating it in a
way that we expect? Is there some other way of thinking? What about if
we walk to work instead of taking the car? Er, was I going to work?
Consider the classical PKI v. alternatives argument. In PKI they say we
must trust the TTP to authenticate the promise - so we are at mercy of
that assumption. In contrast, the alternatives just send the info out
and hope the users spot any extremely unlikely attacks in the first
instance. If the first time works out, the system locks in to it.
The difference is that PKI solves a weakness by substituting in another
weakness that later on grows to consume the system. Whereas the
alternate (call it skype or ssh?) just says - take the risk up front,
get on with life. If anything goes wrong, a few muggles get splattered,
but it worked fine for the rest of us.
Both are a leap of faith... One just works better in real life, because
it is the leap of faith that people do every day.
And even that is to assume almost the same application set.
How do you do authentication in an automated system without someone
somewhere keeping something secret?
Easy. Take the hash, then publish it. The data can be secret, the hash
need not be.
(Just one solution - now name the problem...)
Is authenticating the hash value fundamentally different from "ensuring
the integrity of a chunk of data"?
Definitions :)
iang
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography