Am Dienstag, 24.06.03 um 16:59 Uhr schrieb Pat Deegan:
Hello,Well I'm not sure whether the whole serial#-fingerprint combo is signed or a hash of it. (I didn't write the code) Are there any security risks if I do not use a hash?
On Tue, 2003-06-24 at 09:31, Roddi wrote:Hi,[snip]
I have some difficulties for choosing the right algorithm for the following problemIs there a public-key algorithm that can sign with a signature length of 128bit (or preferably even shorter) and that would still be secure?
I think that most algorithms will sign some type of digest of the message, like an MD5. MD5 is a 128 bit hash, while SHA-1 is a 160 bit hash so the question is can the signature ever be of equal length or shorter than the data it has signed? If not, are there any algos that sign something shorter? I dunno, someone else on the list will have to answer these.
The problem is that about 128 bit is the longest number we can let the users key in by hand. If you do it in hexadecimal digits you get 32 digits that look like that:
46d3-456a-90c2-3f02-ba41-08cb-35ad-24d1 (example)
This will definitely not be fun for the user.
Yeah, that's the way to go if I find no solution to the problem. But it will give our support people a hard time again.
Perhaps if you use some alternate means - e.g. postal delivery of floppies or CD - you can avoid compromising your entire system for the few users without connectivity.
Well, to be honest, I don't understand the question. As far as I understand the matter, the cool thing about public key cryptography is that you cannot derive the private key from the public key, even if have the plain text *and* the cipher text. Correct me if I'm wrong!
I am curious about this:
5. the software checks the signature with the public key and refuses to
run if the signature if not valid
We've been thinking of a somewhat similar procedure but the
question is "how do you protect the public key?". How are you doing it?
regards Ruotger Skupin
