Oliver said:
That being said, you could always check that the right key was used in
your own code, rather than depending on the algorithm. You could, for
example, prepend every message to encryp with a magic string "URD
WINNAR!", and then, upon decrypting, check that messages still contain
that same magic string (and strip it before delivering it to the user).
Not a good idea, never give out more information than you have to. Adding a
known plaintext makes decryption easier.
Or you could store an MD5 hash of the message, etc.
Appending a SHA1 (or better) hash to the end of the message would certainly
allow you to tell whether you had used the right key for decryption. Or even a
simple checksum or other non-crypto-quality hash[*]. Since you aren't using
the hash to verify that the massage hasn't been tampered with, you are not
asking it to defend you against a malicious attacker, but just against bad
luck. Or the message might have enough internal structure that you can verify
that it makes sense without using a hash at all. (E.g. if it's supposed to be
an XML document then the output should be structurally valid)
I doubt if any crypto algorithm has (or is known to have) any way of verifying
a key against a message other than using the key to decrypt the message, and
then seeing if the result makes sense. If the algorithm had a structure such
that you could tell that the internal state of the decryption engine had become
invalid (i.e. that you were using a wrong key) then that would constitute a
very significant weakness in the algorithm since it would massively cut down
the effort of breaking the encryption by brute force.
-- chris
([*] such as MD5 or SHA1 ;-)