If we assume both the sender and recipient already have a symmetric key, even though the attacker generates a hash of the message (after he has modified it) with his own SHA-1 key, when the recipient recalculates the hash of the modified message with his original key, the hash will not match because the key used to generate the false hash and the key used to recalculate it is different.
To only way this would work is if the attacker has a copy of the same key as that of the sender and recipient. By modifying the message and generating a hash of the modified message with the sender/recipient key then there is no way the receiver can tell that the message is false. Bear in mind though that the attacker must also know the encryption algorithm used to encrypt the message in the first place. I have heard however that determining the encryption algorithm by looking at the cypher isn't difficult. Hope this helps ----- Original Message ----- From: "Britt A. Green" <[EMAIL PROTECTED]> To: "Cheryl Goh" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, July 12, 2002 1:20 AM Subject: Re: 3DES versus SHA-1 > Out of curiosity, what prevents someone from intercepting this message, > changing it and replacing it with their own SHA-1 hash? > > -- > "My mom says I'm cool." > > ----- Original Message ----- > From: "Cheryl Goh" <[EMAIL PROTECTED]> > To: "Mario Behring" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Tuesday, July 09, 2002 9:51 PM > Subject: Re: 3DES versus SHA-1 > > > > Hello Mario, > > > > 3DES and SHA-1 are two different encryption algorithms. 3DES is a > symmetric > > algo and SHA-1 is a hashing algo. > > > > A typical scenario would be : > > > > The message is encrypted using 3DES to ensure that even if the message is > > intercepted the intruder is unable to view the message. > > > > SHA-1 is used to create a hash of the message and this hash is sent along > > with the message to the receiver. When the recipients receives the > message, > > he recalculates the hash to see if they both match. If the hash matches > then > > the message is original and has not been tampered with. > > > > In short, SHA-1 maintains the integrity of the message and 3DES maintains > > the confidentiality of the message. They are both used in tandem. > > > > Cheryl Goh > > Security Consultant, CISSP > > >
