RSA Signature Verification Study notes

RSA private key signature is based on a hash algorithm, such as MD5 or SHA1. I have always thought that the signature process is: first hash of the plaintext, and then use the private key to encrypt the hash value directly. It is not so simple recently that it needs to be BER-encoded and then encrypted after the hash data.

Let's look at an example first.

Public Key Module : E6-C1-DB ED, 5B, AD B3 D2 A7 A9 8F E8 D8, B2, E5 E4 7A 7B EE, E3 C0, D2 F9 A D C3 CC 5F 1D AC B2 AB be 9C 9E B2 A7 2E E6 FA C2 1D 3B D2 98 7B 9B Geneva E0 D9 0C 2D 3D ee E6, B2, DF, 1E, D9 9E, EF, 6D, 0D, 94 DB, B7, D3 5B AB ED 7C FE 0E be, ee E8 DD 3 A CA 3 a A7 B8 AA E3

Public Key Index : 01 00 01

private key index : B1 BA-CC E2 F7 1E (3B D2 B8 E4 A6) E8 8F FB-$ FA xx EF A6 8D 5A F9 BA (FC), 4F, F7, 9D 6B 4D F2, F1, A1 A6------- 3 a EA A8 F8 5F 4F 3 a 2E 7B E6 B6 3C 3B 4D E8 FA on-the-off FB-E0 9B D2 B3 B5 8A-approx BF 9 2A AB 5D 9B D5 E8 E7 EC B2 5F 81 41

private Key P: BF, 6A, D0, 6D 1 A B9 BB, be A6, C8 7D, be C2 F5 0C 3 a 7F 5F EF 6E E2 BC D2 0C D7 A6 7E F5 05 E2 1D-CC--

private Key Q: B7 DD B2 4 b E1 FB F1 9A AD D1 9C E0 2F F4 7F © CB E3 2C, DA, 5C 6E CE, AC CB 6C B6 2B D8 5F D5, DF 2A C8, 3B,, 2B, C7

private Key DP: A6 EF C4 9B A7 9E DE CA E5 2F approx. C3 0D EC 2C D9 D9 A7 A9 E6 B2 CF E3 A3 0E 5C B2 8C 2 b 0E BC 7E F2 E4 3B 60 BC AD 8E DD DA EC 0E E2 98 3C 05

private Key DQ: B6 A0 8B A7 7A 6A 1 AB D6 7D 2E/CE C5 9F + 5C 8A F4-F1---------------------6C 5E CD E1 3E B7 3F 4 b A7 7C BD 5E C6 D8-1C B1

private Key invq: B4 D6 1C 2C 2B 6F B5 F3 B7 A7 6F A3 E8 2D 6F A6 AE E5 be 7B 7F 3B DD BC 4 a BF A4 A1 BB 1 BD 0E F1 °f FA FB DE A0 b AB 7D (in)-EE 8C F9 3D-CF EB AC

plaintext : 11 22 33 44 55

by calling. NET RSA signature interface, resulting in MD5 -based signature data : E1 5E D6 BC FB 7F, B4 E1 F3, 2C, A5 BC 3 a D7 0A db 19 AD 8B 9C 4D D8 E6 8A 19-7B 2C 5E E5 bayi EB DC-D8 9A F0 DB CF D3-BF-5B B0 FF D3 C2 1D (2C 0F) F7 E8 D2 (0) E4 F1 A0 8B F5-EA, D6, E4, C5 B6 5A C7 A 32 C6 9B B7 bayi 0B E6 8A E7 BB E6 EE 3E 6A 1C 7A 18 60

after decrypting the above data with the public key , we get: 0C 2A F7 0D--------3D 4F EA 5D DE D5 9C F8 Notoginseng D3 Af

This is the data in a TLV format, after parsing

TAG	Name			Length	Value
30	Sequence combination Type			20
	30	Sequence combination Type		0C
		06	Object ID Objectid	08	2 a F7 0D 02 05
		05	Empty type	00
	04	String type		10	3D 4F EA 5D DE D5 9C F8 notoginseng D3 F5 AF

You can see 3D 4F EA 5D DE D5 9C F8 PNS D3 F5 af is exactly the MD5 value of clear text data 11 22 33 44 55.

So what does the rest of the above data mean?

The coding method used here is BER (Basic Encoding Rule), and the BER data are in TLV format, each tag is defined as follows:

0x01:bool

0x02:int, Integral type

0X04:OCTSTR, String type

0x05:null, empty type

0x06:objid, Object ID Objectid (here is the OID encoding of the corresponding hash algorithm)

0x0a:enum

0x30:seq,sequence Combination Type

0x31:setof

0x40:ipaddr

0x41:counter

0x42:gauge

0x43:timeticks

0x44:opaque

In other words, each time a different hash algorithm is used to sign different data, the basic format of this section of BER data is fixed, but the OID and hash value of the hash algorithm will change.

Let's talk about how the OID of the hash algorithm is encoded.

The OID of each algorithm is a fixed string of decimal data, which is determined by the international authoritative organization. For example, the OID of MD5 is 1.2.840.113549.2.5, expressed as "ISO (1) member-body (2) US (840) rsadsi (113549) Digestalgorithm (2) MD5 (5)", so when the decoding program When you see this OID, you know it's MD5 hash.

The encoding rules for OIDs are as follows: If the first two parts are defined as x.y, they will be composited with one word 40*x + y, and the remainder encoded as a single byte. Each word is first divided into a minimum number of 7-digit digits without the first 0 digits. These numbers are organized in Big-endian format and are combined one after another into bytes. In addition to the last byte of the encoding, the highest bit (bit 8) of all the other bytes is 1. Example: 30331 = 1 * 128^2 + 108 * 128 + 123 is divided into 7 digits (0x80) after {1,108,123} is set to the highest bit after {129,236,123}. If the word has only one 7-digit number, the maximum is 0.

The rules are not very understood, or MD5 Example :

First, convert the 1.2.840.113549.2.5 into Word group {42, 840, 113549, 2, 5} (because the first two parts are defined as 1.2, then synthesize a word 40*1+2=42)

Second, divide each word into 7 digits with the highest bit.

42=42, only a 7-digit number, then up to 0, with the result {0x2A}

840= 6*128^1+72, except for the last byte, the BIT8 of the other bytes is set to 1 and the result is {0x86,0x48}

113549=6*128^2+119*128^1+13, except for the last byte, the BIT8 of the other bytes is set to 1 and the result is {0x86,0xf7,0x0d}

2=2, only a 7-digit number, then up to 0, with the result {0x02}

5=5, only a 7-digit number, then up to 0, with the result {0x05}

The end result is {{0x2a},{0x86,0x48},{0x86,0xf7,0x0d},{0x02},{0x05}}

Third, add tag and Len, get OID code for 0x06 2A F7 0D 02 05

RSA verification of the steps: first decrypted with the public key, to parse the TLV data from the hash algorithm of the OID and hash value, according to the OID selection of the corresponding hash algorithm for the clear text calculation, the last comparison of the hash value.

The common hash algorithm used for RSA signature in the BER data encoding format is:

MD2	1.2.840.113549.2.2	0c 2a F7 0d to 05 00 04 10 | | | H.
MD4	1.2.840.113549.2.4	0c 2a F7 0d to 05 00 04 10 | | | H.
MD5	1.2.840.113549.2.5	0C 2a 05 00 04 10 ( F7 0d ) | | H
SHA1	1.3.14.3.2.26	2b 0e 05 00 04 14 | | | H
SHA224	2.16.840.1.101.3.4.2.4 Not sure if this OID	2D 0d, and at Geneva , Geneva, Geneva | | H
SHA256	2.16.840.1.101.3.4.2.1	0d, 05 00 04 20 | |---- H
SHA384	2.16.840.1.101.3.4.2.2	0d-05 00 04 30 in Geneva---- H
SHA512	2.16.840.1.101.3.4.2.3	0d, 05 00 04 40 | |---- H
SM3	1.2.156.197.1.504 Not sure if this OID	0c 2a Bayi 1C Bayi 05 00 04 20 | | | H.

RSA Signature Verification Study notes