Newsgroups: sci.crypt
From: hoey@zogwarg.etl.army.mil (Dan Hoey)
Date: 30 Jan 92 22:49:41 GMT
Subject: Re: 4 byte signature???

With regards to extending a four-byte signature I wrote:

>If you want a longer signature, you should be able to get it by
>appending the short signature to the message and generating a new
>short signature.  Repeat to taste.

ghunt...@Reed.Edu (Galen Huntington) objects:

>The entire point of having a signature is to prevent other
>people from forging your mail.  So someone else does a brute-force
>search and produces a four-byte key.  They can then send that out.
>You can make your own signature as long as you like; that won't stop
>other people.

>What is needed is a standard length beyond which a signature
>is legal.  Which amounts to legislating a length, which is the same
>problem there was with DES.

I should hope any such standard would take into account how much is at
stake and what the state of the art is.  But that issue is different,
and orthogonal from the algorithm we use to generate the signature of
whatever length.  It only points out how much we need the algorithm to
be able to accomodate a variety of lengths.

My point is that it is better to have an algorithm that generates a
short signature, so you can specify the level of security needed with
fine granularity.

j...@osc.COM (Joe Keane) writes:

:Re-scanning the message also means that you can't implement your
:algorithm as a filter.  You have to store the whole message
:somewhere.

Well, if the original algorithm was a filter, then you checkpoint it
just before it reads the EOF, then repeatedly { feed it the EOF, get
four bytes of signature out, restart from the checkpoint, feed it the
four bytes, and recheckpoint }.

But it's true this is a fairly lame way of extracting the large amount
of internal state from the algorithm, if it has it.  And if the state
is not large, this scheme does not buy extra security.

Dan Hoey
Hoey@AIC.NRL.Navy.Mil