If I have a packet of data that is encrypted yet also includes a sha-224 checksum that is not encrypted, am I creating a security vulnerability?
Or perhaps the checksum should be produced after encryption?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
If I have a packet of data that is encrypted yet also includes a sha-224 checksum that is not encrypted, am I creating a security vulnerability?
Or perhaps the checksum should be produced after encryption?
Theoretically, if the checksum is calculated over the plain text, it is giving out more information about the encrypted data and hence reducing the security. If it is calculated over the cipher, it doesn’t matter whether it’s encrypted or not.
In pratice, a rainbow table attack could be made. If you need an unencrypted checksum over the plain text to check whether the password is correct (i.e. checksum mismatch = wrong password), make sure you include salt. Otherwise, calculate it over the cypher or, if you calculate it over the plain text, append it to the original data and encrypt everything.
EDIT: You don’t need a bigger checksum, I was thinking about the block size of the encryption algorithm…