openssl at schwebbman.com wrote:
I am working on writing a program that performs encryption uses
triple-DES. I am reading(decrypting) and writing(encrypting) a linked
list to a file. The program will read and write the individual
structures that make up the linked list using OpenSSL. The problem that
I am running into, is that I cannot figure out a way to check to ensure
that the data that is being decrypted, is actually being decrypted
properly. In other words, if I write out my linked list, encrypting each
structure as I write it I end up with a file that is encrypted. If I
edit the file using a binary file editor(emacs), and I try and run the
decryption program, the output to the screen is human readable, until it
hits the point where I made changes in the encrypted file. Is there a
way to stop the decryption once the data is deemed to be "bad".
thank you.
David Schwartz wrote:
> Reply:
>
> There are any number of ways to do this. A very simple way is to add a
> checksum field to the decrypted data and encrypt it along with the data.
> When you decrypt the data, decrypt the checksum field along with it
and then
> compute the checksum of the data (less the checksum field itself) and
verify
> it against the decrypted checksum field. If they don't match, reject the
> data.
>
> DS
Please let me say first it was an interesting question
and a great reply.
There was even better case: rc4 encryption (XOR-based one)
of authorisation data. It was easy to flip the the right bit
resulting in "paid" status with everything else decrypted just fine.
Yes, the problem as desribed could be handled by
message-authenticating codes. It might be better to verify integrity
of ciphertext instead of cleartext.
For details, please consider to take a look at
http://attic.cashcow.dk/mail-archive.cashcow.dk/msg00857.html
and the paper mentioned there.
Some research papers are known on encrypt-and-authenticate
as a primitive operation, in case someone dont mind to write new code
regards,
Vadim
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
