|
Posted by Alex Vinokur on April 17, 2005, 7:01 am
If you were Registered and logged in, you could reply and use other advanced thread options
OTP at http://www.fourmilab.ch/onetime/otpgen.html
enables the user to generate one-time pads or password lists in a variety of
formats.
The question is about MD5 signature of the generated keys.
For instance, a sender has generated keys and their MD5 signatures, encrypted
(with using one of the generated keys) some message
and sent the encrypted message, the keys and MD5 signatures to a recipient.
To decrypt the encrypted message the recipient needs the key itself, not its MD5
signature.
How is MD5 signature used in this data transmission process?
Who and how does verify keys with using MD5 signatures? Sender? Not recipients?
--
Alex Vinokur
email: alex DOT vinokur AT gmail DOT com
http://mathforum.org/library/view/10978.html
http://sourceforge.net/users/alexvn
|
|
Posted by Harald Hanche-Olsen on April 18, 2005, 12:09 am
If you were Registered and logged in, you could reply and use other advanced thread options
| OTP at http://www.fourmilab.ch/onetime/otpgen.html
(I deleted a soft hyphen that had snuck into the URL.)
| enables the user to generate one-time pads
No. They make the claim, and say
Spies are furnished "one-time pads" containing pages of keys used to
encrypt individual characters of secret messages, then discarded. As
long as the physical security of the two copies of a one-time pad is
assured and the keys on the pad are sufficiently random, security is
absolute.
This is true only if the one-time pads are truly random. The program
on this page creates pseudo-random "one-time pads", and for this case,
the proof of security breaks down. From the description offered on
the web page I would venture a guess that their "one-time pads" are
not cryptographically very secure.
| or password lists in a variety of formats.
|
| The question is about MD5 signature of the generated keys.
| [...]
| Who and how does verify keys with using MD5 signatures?
The way I read this, the MD5 signature has nothing to do with the
encryption of message, but are only intended for one-time password
applications. The idea is this: The program creates a sequence of
passwords together with their MD5 hashes. You keep the password, the
computer keeps the hashes. Now, when you wish to log in, or use some
password protected service on the computer, you pick the next password
from the list and send it (in the clear) to the computer, which
compares it with the next hash on its list. If they match, you're
in. If not, tough luck. The computer is of course supposed to keep
track so the same password won't work twice, hence keeping
eavesdroppers from using the password.
One-time passwords can be useful, but they don't protect against
man-in-the-middle attacks. Also, to make it harder to apply a
dictionary attack against the password hash file (if the attacker can
get a copy of it), salts should have been used, in the same way they
are used in Unix passwd files.
--
* Harald Hanche-Olsen <URL:http://www.math.ntnu.no/~hanche/>
- Debating gives most of us much more psychological satisfaction
than thinking does: but it deprives us of whatever chance there is
of getting closer to the truth. -- C.P. Snow
|
| Similar Threads | Posted | | Looking for pointers to get started with e-signature | August 19, 2004, 1:26 pm |
| Digital Signature Software | January 4, 2005, 9:25 am |
| XML digital Signature Processing | December 10, 2007, 6:04 am |
| small&fast Digital signature algorithm | September 6, 2007, 2:25 am |
| FYI: Avira detects "Shutdown Windows' servers" by special signature for this tool | August 7, 2006, 3:43 pm |
| Password Generator | October 7, 2005, 7:23 am |
| How can I create a Secure Key Generator? | January 2, 2005, 1:40 am |
| Network Attack generator | November 28, 2005, 9:49 am |
| Need Password Generator for 10 users | October 15, 2006, 8:36 pm |
| Free Random Password Generator | January 26, 2005, 9:11 pm |
|
XML site map