Hi Sarah,
On Saturday, September 20, 2003 4:06 PM Sarah Haff
wrote:
Attached is a highlevel diagram that depicts how openssl will be utilized
in the application for encrypting data from the sender to the
receiver.
You mention, that the data is "encrypted using the sender's
private key .
Christian Barmala wrote:
You mention, that the data is "encrypted using the sender's private key ...
> to ensure that data is sent by the intended sender". Even though you sometimes
> find this expression in literature, I consider it clearer when you say "data is
> signed by the sender's private
" <[EMAIL PROTECTED]>
Subject: Re: diagram explaining encryption using openssl
Date: Sat, 20 Sep 2003 11:22:47 -0400 (EDT)
Use standard mechanisms; invent your own and you will almost definitely
get it wrong.
RSA is basically only used to encrypt a session (ephemeral) key; that
key is a sym
Hi Michael,
- Original Message -
From: "Michael Sierchio" <[EMAIL PROTECTED]>
Sent: Saturday, September 20, 2003 5:22 PM
> > You mention, that the data is "encrypted using the sender's private key
...
> > to ensure that data is sent by the intended sender". Even though you
sometimes
>
If your messages are longer than the size of an AES or 3DES key, you're
less efficient. If they're ever going to be longer, you're stuck. :)
> That is what I m showing the diagram? Or is my diagram wrong? The only
> difference is I am using MD5.
MD5 should be avoided except where it has to be u
> > Public keys are NOT signed by a CA. A CA signs a cert
> The same "difference" as betwenn signing a message or beeing more precise
> and saying that you sing a message's digest instead of the whole message.
You missed the point of what Michael said. First, when someone says "xxx
is signed" th
Rich Salz wrote:
That is what I m showing the diagram? Or is my diagram wrong? The only
difference is I am using MD5.
MD5 should be avoided except where it has to be used for legacy apps.
Rich will help me with this, but I thought I'd explain why:
collision-resistance is especially impor
> This is probably more than the OP needed to read...
I think in the crypto world, "proof by intimidation" seems to have its
place. :)
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapo
If your messages are longer than the size of an AES or 3DES key, you're
less efficient. If they're ever going to be longer, you're stuck. :)
Hmm the messages are 9 digit license numbers. so i think it is going to
simple to just use asymmetric crypt for this. Any suggestions?
MD5 should be avoide
"[EMAIL PROTECTED]" <[EMAIL PROTECTED]>,
"[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Subject: Re: diagram explaining encryption using openssl
Date: Sat, 20 Sep 2003 12:39:49 -0400 (EDT)
If your messages are longer than the size of an AES or 3DES key, you're
l
> - I should the word "sign" intead of encryption, when encrypting using
> Private Key to encrypt the checksum. That is good suggestion.
yeah, that's what misled me before.
> The other question I have is - Should I send the digital signature as a
> seperate message, or should take the checksum of
yeah, that's what misled me before.
got it. :)
Are you worried about data corruption such that an a non-signed hash is
actually buying you anything?
I m sorry Rich, I m not sure if I understand your question. Can you please
explain.
Thanks
Sarah
_
> >yeah, that's what misled me before.
> got it. :)
>
> >Are you worried about data corruption such that an a non-signed hash is
> >actually buying you anything?
> I m sorry Rich, I m not sure if I understand your question. Can
> you please
> explain.
I think what he's trying to get at is
Rich Salz <[EMAIL PROTECTED]> writes:
> You missed the point of what Michael said. First, when someone says "xxx
> is signed" they mean hash(xxx) is encrypted with private key. It's
> basically the definition of a signature. Only if you look closely, do you
> see that signing is an application
> Signing does not have to be an application of hashing and encryption. Take
> a look at DSA.
Yes, of course. I simplified for the audience. I should have made that
explicit.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS
Note: Attached is the updated diagram, I tried to include all the
suggestion I received.
The arrow that says "Encryt(sic) Using Sender's Private Key" and the box
it points into that is labelled "Data encrypted using sender's private
key" are nonsensical.
SHA1 isn't a checksum, it's a Message Di
SHA1 isn't a checksum, it's a Message Digest.
I am sorry I am confused
Isn't MD5 a Message Digest? However people use the phrase "MD5 Checksum".
For e.g.
http://www.gnu.org/manual/elisp-manual-21-2.8/html_node/elisp_539.html on
the GNU website.
To quote:
"MD5 cryptographic "checksums", or
Isn't MD5 a Message Digest?
Yes, hence the initials MD.
Quoting the GNU Emacs manual as an authority on cryptographic terms
isn't particularly useful.
Is there any reason why we can not use word "checksum" with SHA1?
For the same reason you don't call it a CRC -- because that's not what
it is.
Quoting the GNU Emacs manual as an authority on cryptographic terms isn't
particularly useful.
Okay. Here is a link to some of the documents that refer to SHA1 as a
checksum.
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22SHA1+checksum%22&btnG=Google+Search
For the same reason you do
Here are some diagrams in a document I wrote what seems like
a century ago (before I started actually writing PKI code):
http://www.oit.umd.edu/middleware/pki.html
Have been somewhat distracted the last few days by a hurricane.
Refugee house guests from the unempowered areas etc.
--
Charles B (Ben
On the other hand a checksum in cryptography is used quite liberally,
and can be used interchangeably with one-way-hash/message digest/digital
fingerprint etc.
Unh, no. Those three terms you separated by a slash are used
interchangeably, but while you might rarely see "cryptographic
checksum",
21 matches
Mail list logo
