Re: Question about SHA1 result length
- From: Paul Rubin <http://phr.cx@xxxxxxxxxxxxxx>
- Date: 26 Apr 2006 13:21:42 -0700
DERASN.1@xxxxxxxxx writes:
I am working with the SHA1 algorithm to produce digital signatures for
RSA encryption/decryption. My question is: does a lower bound exist
for the result of an SHA1 hash? Is it possible that there is some data
that would hash to 0 (20 bytes of 0's) or to something very small like
1 or 2?
Yes, this could happen, but the probability is very low. For example,
the probability of even the first 60 bits being zero is 2**-60.
I ask this because I am wondering if a SHA1 hash encrypted
with a reasonably large (1024 bit) RSA key could yield a result that is
too small to be cryptographically secure (by this I mean when raised to
the exponent the result would be less than the modulus). Has anyone
ever run into this or have any knowledge of this? Thanks.
You would not encrypt the hash directly with RSA. You'd use a padding
scheme like OAEP or PSS. Basically that means you insert a bunch of
random bits along with the hash when encrypting, and remove them when
decrypting. Of course there is a tiny probability that all these bits
will be zero. There is similarly a tiny probability that the attacker
can simply guess your private key and get it right on the first try.
In cryptography we're mostly concerned with making these events
extremely unlikely, not with making them impossible.
.
- References:
- Question about SHA1 result length
- From: DERASN . 1
- Question about SHA1 result length
- Prev by Date: Question about SHA1 result length
- Next by Date: Re: DES 10 Byte MAC
- Previous by thread: Question about SHA1 result length
- Next by thread: Implementing byte stream cipher
- Index(es):
Relevant Pages
|
|
