Signatures of RSA, DSA, and ECDSA

Digital signature is only the sender of information can be produced by others can not forge a string of numbers, this string is also the sender of information to send information authenticity of a valid proof. The combination of asymmetric key encryption and digital digest technology, the three asymmetric algorithms currently used in digital signatures are:

1. RSA, the Mega NB algorithm is implemented in such a way that it can be used for both signature and encryption (key exchange). In addition to exchanging the public key with the status of the key, the other steps are almost identical. The sender encrypts the digest value of the message with its own private key, and the receiver uses the sender's public key to "decrypt" the digest value and compares it to the digest value computed independently of the message. If it matches, the signature is valid. Compared to encryption, RSA signature is more difficult to understand is the grouping format, we often say that RSA is the digest value to encrypt, in fact, not necessarily, in the encryption will use a DER encoded Digestinfo structure (the structure includes the hash algorithm identifier + digest value), is to encrypt this digestinfo structure. All results in the general use of RSA (1204-bit) private key encryption, can only encrypt up to 117 bytes of data, not 128 bytes (1024 bits).

The purpose of this is to prevent attacks. Assuming that a hash algorithm (H1) suffers catastrophic damage, it is possible to generate a random message with the message digest as a fixed value (the Btw:hash algorithm does not prove that there is no problem at all, just that you cannot produce the same collision at a given time as safe, L). Attack Process:

1) sign message m with another different algorithm H2

2) An attacker could use the H1 (M ') =H2 (m) feature to produce a new message M '.

Attaching our signature to his newly generated message m ' (callout with the broken hash algorithm H1), the signature is still validated.

2.DSA Signature: The original design is used for digital signature and not for the key exchange algorithm, and the same as DH's cryptographic mathematical basis, that is, the number of modules in the field of the modulo exponentiation, the most important difference in the construction of P (large prime) when the p-1 can be called by another prime number of the "Q". Unlike RSA, the DSA signature results are made up of two values R and s (160 bits).

The signature API and parameter descriptions given by the OpenSSL website:

#include <openssl/dsa.h>

int dsa_sign (int type, const unsigned char *dgst, int len,

unsigned char *sigret, unsigned int *siglen, DSA *DSA);

int dsa_verify (int type, const unsigned char *dgst, int len,

unsigned char *sigbuf, int siglen, DSA *DSA);

Dsa_sign () computes a digital signature on the Len Byte message digest dgst using the private key DSA and places its ASN.1 DER encoding at Sigret. The length of the signature is places in *siglen. Sigret must point to dsa_size (DSA) bytes of memory.

Dsa_verify () verifies that the signature sigbuf of size Siglen matches a given message digest dgst of size len. DSA is the signer's public key.

The type parameter is ignored.

By dsa_sign, the signature result is stored in the unsigned string pointer Sigret, and does not reflect the contents of the R and s two parts, because the signature results are encoded in dsa_sign, and R and S are converted to ASN.1 DER Encoding and saved it to Sigret.

Analysis of the OpenSSL source code to verify the above (the files involved are in the directory D:\OPENSSL-1.0.1E\CRYPTO\DSA):

Locate the source code for the dsa_asn1.c dsa_sign in the sources file:

[CPP]View Plain copy print? int dsa_sign (int type, const unsigned char *dgst, int dlen, unsigned char *sig,unsigned int *siglen, DSA *dsa) {D       Sa_sig *s;       Rand_seed (Dgst, Dlen);       S=dsa_do_sign (DGST,DLEN,DSA);           if (s = = NULL) {*siglen=0;           return (0);       } *siglen=i2d_dsa_sig (S,&sig);       Dsa_sig_free (s);   return (1); The structure dsa_sig is defined in Dsa.h as follows:

[CPP] view plain copy print?       typedef struct DSA_SIG_ST {bignum *r;   Bignum *s; } Dsa_sig;

by *siglen=i2d_dsa_sig (S,&sig) in dsa_sign, the signature result s (struct dsa_sig) is transcoded in order to unsigned string pointer SIG.

Through the above analysis, we can get the DSA signature and RSA signature or a certain difference.

3.ECDSA is the combination of ECC and DSA, the entire signature process is similar to DSA, the signature is not the same as the algorithm used in ECC, the final signature of the value is also divided into r,s.

The signing process is as follows:

1, select an Elliptic Curve EP (A, B), and the base point G;

2, select the private key K (K<n,n is the order of G), using the base point G to calculate the public key k=kg;

3, produce a random integer R (r<n), calculate point R=rg;

4, the original data and point R coordinate value x, y as the parameter, calculate SHA1 as hash, that is HASH=SHA1 (original data, x, y);

5. Calculate S≡r-hash * k (mod n)

6, R and s as the signature value, if R and s one is 0, re-executed from step 3rd

The verification process is as follows:

1, the receiving party after receiving the message (m) and the signature value (R,s), the following operation

2, Calculation: Sg+h (m) p= (x1,y1), r1≡x1 mod P.

3. Verification equation: R1≡r mod p.

4, if the equation is established, accept the signature, otherwise the signature is invalid.

The following is a section of the OpenSSL source API (D:\OPENSSL-1.0.1E\CRYPTO\ECDSA) [CPP] view plain copy print?      int ecdsa_sign (int type, const unsigned char *dgst, int dlen, unsigned char *sig, unsigned int *siglen, Ec_key *eckey) {   Return ecdsa_sign_ex (Type, dgst, Dlen, SIG, Siglen, NULL, NULL, Eckey); }