F.4 Digital signature and encryption with PKCS1

Previous page
Table of content
Next page

F.4 Digital signature and encryption with PKCS#1

This section outlines the digital signature scheme as described in the PKCS#1 standard [9]. Note that the same standard specifies the encryption/decryption of a data block that can transport symmetric keys.

Data formatting Both the encryption and the digital signature use the same data formatting: the encryption block EB submitted to either the public RSA operation (encryption) or secret RSA operation (digital signature) has the format EB = 00 BT PS 00 D , representing a byte-string.

  • The block type BT equals 00 or 01 for a digital signature, but for the scope of this book only BT = 01 is considered , which improves the parsing of EB and eliminates some potential attacks on the signature mechanism. The block type BT equals 02 for encryption.

  • The data D represents either the secret keys to be wrapped in the digital envelope (encryption) or the hash-code of the message to be signed. The byte-length of D , denoted D , must be smaller or at most equal to N “ 11, where N represents the byte-length of the modulus n of the RSA operation.

  • The padding string PS consists of N “ 3 “ D bytes. If BT = 01, all the bytes of PS are FF; while if BT = 02, each byte of PS is generated at random.

Signature generation with PKCS#1

  1. The message M to be signed is hashed with the selected MDC algorithm, obtaining the hash code H .

  2. The hash code H and the MDC algorithm identifier are combined in an ASN.1 (abstract syntax notation) value, which is further BER-encoded (basic encoding rules) to give an octet data string D .

  3. Compute the encryption block EB as explained in the "Data Formatting" section, with BT = 01.

  4. Interpret the byte-string EB as an integer m , which is always smaller than the modulus n S .

  5. Perform the secret RSA operation on m corresponding to the signature generation mode and obtain the signature S = Sign ( KS A )[ m ] = S ( n S , d S )[ m ] = m ^( d S ) mod n S .

  6. Interpret S as a byte-string, which is forwarded together with the message to the verifier.

Signature verification with PKCS#1

  1. The byte-string S received from the signer is rejected if the bit-length of S is not a multiple of 8, or if the corresponding integer value is bigger than the value of the modulus n S .

  2. Perform the public RSA operation on S corresponding to the signature verification mode and obtain the integer m = Verify ( KV A )[ S , M ] = P ( n S , e S )[ S ] = S ^( e S )mod n S .

  3. Interpret the integer m as a byte-string EB of length N bytes.

  4. Parse EB into a block type BT , a padding string PS , and the data D . Reject the signature if BT does not equal 01, or if the byte-length of PS is less than 8 bytes or the bytes in PS are different than FF.

  5. BER-decode D to obtain a hash code H and an MDC algorithm identifier. Reject the signature if the MDC algorithm identifier is not in the set of accepted MDC algorithms.

  6. Using the MDC algorithm identifier, select the appropriate MDC and compute the hash code H ² on the message M , sent by the signer as a mandatory item for the verification process. If the computed H ² is different than the hash code H retrieved from D , reject the signature. Otherwise the signature on M is accepted as valid.

Encryption “key wrapping with PKCS#1

  1. The sender computes at random a double-length DES key of 16 bytes for a Triple-DES algorithm. The data D consists of this double-length DES key. This is just an example, but any secret cryptographic parameter(s) with a byte-length smaller than N “ 11 bytes can be encrypted.

  2. Compute the encryption block EB as explained in the "Data Formatting" section, with BT = 02. The padding string contains a number of N “ 3 “ D random bytes.

  3. Interpret the byte-string EB as an integer m , which is always smaller than the modulus n E .

  4. Perform the public RSA operation on m corresponding to the encryption mode and obtain the digital envelope c = E ( KE B )[ m ] = P ( n E , e E )[ m ] = m ^( e E )mod n E .

  5. Interpret c as a byte-string, which is forwarded to the receiver.

Decryption “key unwrapping with PKCS#1

  1. The byte-string c received from the sender is rejected if the corresponding integer value is greater than the value of the modulus n E .

  2. Perform the secret RSA operation on c corresponding to the decryption mode and obtain the number m = D ( KD B )[ c ] = S ( n E , d E )[ c ] = c ^( d E )mod n E .

  3. Interpret the integer m as the byte-string EB of length N bytes.

  4. Parse EB into a block type BT , a padding string PS , and the data D . Consider that the received digital envelope is not correct if BT does not equal 02, or the byte-length of PS is less than 8 bytes.

  5. Retrieve the double-length DES key transported in D and store it for later use.



Previous page
Table of content
Next page
Implementing Electronic Card Payment Systems
Implementing Electronic Card Payment Systems (Artech House Computer Security Series)
ISBN: 1580533051
EAN: 2147483647
Year: 2003
Pages: 131
Authors: Cristian Radu
BUY ON AMAZON
High-Speed Signal Propagation[c] Advanced Black Magic
Software Configuration Management
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
Web Systems Design and Online Consumer Behavior
Java Concurrency in Practice
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy