If I have a packet of data that is encrypted yet also includes a sha-224 checksum that is not encrypted, am I creating a security vulnerability?
Or perhaps the checksum should be produced after encryption?
+2
A:
Theoretically, if the checksum is calculated over the plain text, it is giving out more information about the encrypted data and hence reducing the security. If it is calculated over the cipher, it doesn't matter whether it's encrypted or not.
In pratice, a rainbow table attack could be made. If you need an unencrypted checksum over the plain text to check whether the password is correct (i.e. checksum mismatch = wrong password), make sure you include salt. Otherwise, calculate it over the cypher or, if you calculate it over the plain text, append it to the original data and encrypt everything.
EDIT: You don't need a bigger checksum, I was thinking about the block size of the encryption algorithm...
Artefacto
2010-05-17 00:05:27