Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <h3>Solution based on digital signatures with message recovery</h3> <p>Let's assume that the message <em>M</em> you want to store can be split into two segments: M<sub>1</sub> and M<sub>2</sub>, and that <em>M = M<sub>1</sub>||M<sub>2</sub></em>.</p> <p>In general, the verification step in a message recovery scheme will tell you if <em>M</em> is authentic, but it will also give you back one segment (for instance <em>M<sub>2</sub></em>) so that you effectively need to store only the other segment (for instance <em>M<sub>1</sub></em>). As a drawback, you cannot access <em>M<sub>2</sub></em> without verifying the signature first, but in most cases that is really not what one wants to do.</p> <p>Intuitively, some storage can be used for <em>both</em> a part of the message <em>and</em> a part of the signature.</p> <p>The most widespread example is probably the scheme standardized into ISO 9796-2 (which is not totally secure! Read below...). In that scheme, a 2048 bit RSA signature coupled to SHA-1 can be used to store 234 bytes of <em>M<sub>2</sub></em>. In practice, that means that the signature length varies from 20 to 256 bytes, depedening on the length of <em>M</em>.</p> <p>More specifically, if <strong><em>n</em></strong> is the length of your RSA key and <strong><em>h</em></strong> is the length of the hash output (both in bits), the number of bytes you can store in the signature is <strong><em>(n-h-16)/8</em></strong>.</p> <p>Whether it is good or not for you depends on how long your data is.</p> <p>The caveat I mention above is that <a href="http://eprint.iacr.org/2009/203.pdf" rel="nofollow">Coron, Naccahe, Tibouchi, and Weinmann</a> recently showed that ISO 9796-2 can be broken more easily that one would expect, even though not "in 5 minutes on one computer" (they had to resort on several EC2 instances). Yet, it may be good enough for you security wise.</p> <p>Other message recovery schemes exist, but one thing you should pay attention to is their patent status. For instance, PSS-R, <a href="http://www.di.ens.fr/~stern/data/St86.ps" rel="nofollow">Naccache-Stern</a>, Nyberg-Rueppel, <a href="http://www.certicom.com/index.php/ecc-and-digital-postage-marks-part-2" rel="nofollow">Pintsov-Vanstone</a> cannot be freely used.</p> <h3>Solution based on signatures with appendix</h3> <p><a href="http://en.wikipedia.org/wiki/Digital_Signature_Algorithm" rel="nofollow">DSA</a> is a possibility. In this case, the signature does not embed any part of the original message. The general rule is that if you want a security of <strong><em>s</em></strong> bits, you need a <b><em>4s</em></b> bit long DSA signature. To say, for 80 bit security (equivalent to 2TDES) you need 40 bytes. The same formula applies for <a href="http://en.wikipedia.org/wiki/Elliptic_Curve_DSA" rel="nofollow">ECDSA</a>, but DSA is simpler and more widespread in software libraries.</p> <p>In both cases (DSA and ECDSA), the signing server <strong>must</strong> have a good source of randomness. If the random generator is not reliable (e.g. if the server is a Virtual Machine or an embedded system), DSA and ECDSA could be broken, no matter how long the signatures are.</p>
    singulars
    1. This table or related slice is empty.
    1. POEncryption and Tiny Data
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USSquareRootOfTwentyThree
    1. USSquareRootOfTwentyThree
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COSo what we're saying is I can delete part of my message and use the freed-up space for the sig, and use the sig to recover. The 255 rsa example - this is 254 bytes of M2/sig so I still need space for my M1? Out of interest, If 'M1' is pre-agreed (but not secret), does that mean the 2048 bit signature is effectively the encrypted message?
      singulars
      1. PO
      1. USmchicago
    2. CO@mchicago, yes I am saying you can delete part of the message. I edited the answer to give the generic way to compute the number of bytes you can embed in the signature. If M1 is pre-agreed, it doesn't need to be signed, does it?
      singulars
      1. PO
      1. USSquareRootOfTwentyThree
    3. COHeh - I'm marking the EC curve answer as the right one because it gets me the closest : however, this one is certainly the more interesting. The problem is though that I need the original message to be in the plain and readable - deleting (part of) it, and using the sig to recover is probably just a long winded way of saying 'encrypt the thing' - which I think is the other main alternative.
      singulars
      1. PO
      1. USmchicago
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload