Re: [FDE] Information leakage with publicly visible hash/signature

[Dave Howe <DaveHowe.Pentest () googlemail com>]

John wrote:
> Hi all,
>
> (Apologies for asking two questions in quick succession on this
> mailing list: they were similar but distinct so I thought I should put
> two posts up. As before, any help is greatly appreciated).
>
> The software I'm writing sends an encrypted file to a peer for safe
> keeping (for data backup purposes). The peer never needs to decrypt
> the file - only the sender knows the key.
>
> The peer also is sent metadata about the file for later recovery.
>
> My question is this: is there any harm in sending, in plaintext, the
> hash of the *original* plaintext file to the peer? This would be used
> when recovering the file to make sure it has been safely decrypted
> etc. Assume the hash would be cryptographically secure (i.e. SHA256).

Conditionally, yes. it can be used for massively distributed trial
decryption to verify that the trial was correct. However, in practical
terms, no, as encryption schemes often include inband checksums anyhow.

depends on your attack model, really.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------