Encrypting a short string?

Carl Banks pavlovevidence at gmail.com
Mon Feb 11 23:17:59 CET 2008


On Feb 11, 4:19 pm, erikcw <erikwickst... at gmail.com> wrote:
> On Feb 11, 4:07 pm, marek.ro... at wp.pl wrote:
> > erikcw napisal(a):> But that can't be reversed, right? I'd like to be able to decrypt the
> > > data instead of having to store the hash in my database...
>
> > In such case it seems you have no choice but to use a symmetric
> > encryption algorithm - in other words, your original method. If the
> > strings are ~20 bytes long (3 DES blocks), then the base64-encoded
> > ciphertext will have 32 characters. In case of AES, that'll be up to
> > 45 characters. Wouldn't such length be acceptable?
>
> > Paul Rubin napisal(a):> 2. What happens if the user edits the subject line?
> > > Under normal security requirements you cannot do this. The ciphertext
> > > has to be longer than the plaintext since you don't want the opponent
> > > to be able to tell whether two plaintexts are the same. Therefore you
> > > have to attach some random padding to each plaintext. Also, you
> > > presumably want the ciphertext to be encoded as printing characters,
> > > while normally you'd treat the input as binary, so there is some
> > > further expansion.
>
> > If what erikcw is looking for is a cryptographically secure protocol,
> > there are more things to be careful about, like authentication or
> > replay attacks. But indeed, I'm wondering now what his use-case is.> I'm using this encrypted string to identify emails from a
> > > user. (the string will be in the subject line of the email).
>
> > Why not use "From" field to identify emails from a particular user?
>
> > Regards,
> > Marek
>
> In essence what I'm doing is trying to manage tickets for a helpdesk.
> I want the ticket identifier to be short enough to fit in the subject
> line along with the normal subject chosen by the user.  So
> cryptographic security isn't really important.  I can't use the from:
> field because a single user could have multiple tickets.

Shouldn't you have a database associating a ticket ID with an email
address (among other things)?


Carl Banks



More information about the Python-list mailing list