tags:

views:

166

answers:

1
+1  Q: 

Is this RSA-based signature (with recovery) scheme cryptographically sound?

I am implementing a simple license-file system, and would like to know if there are any mistakes I'm making with my current line of implementation.

The message data is smaller than the key. I'm using RSA, with a keysize of 3072bits.

The issuer of the licenses generates the message to be signed, and signs it, using a straightforwards RSA-based approach, and then applies a similar approach to encrypt the message. The encrypted message and the signature are stored together as the License file.

  1. Sha512 the message.
  2. Sign the hash with the private key.
  3. Sign the message with the private key.
  4. Concatenate and transmit.

On receipt, the verification process is:

  1. Decrypt the message with the public key
  2. Hash the message
  3. Decrypt the hash from the file with the public key, and compare with the local hash.

The implementation is working correctly so far, and appears to be valid.

I'm currently zero-padding the message to match the keysize, which is probably a bad move (I presume I should be using a PKCS padding algorithm, like 1 or 1.5?)

Does this strategy seem valid? Are there any obvious flaws, or perspectives I'm overlooking?

+2  A: 

The major flaw I noticed: you must verify the padding is still there when you decrypt.

(If you know the message length in advance then you might be able to get away with using your own padding scheme, but it would probably still be a good idea to use an existing one as you mentioned).

I am not sure why you're bothering to encrypt the message itself - as you've noted it can be decrypted by anyone with the public key anyway so it is not adding anything other than obfuscation. You might as well just send the message and the encrypted-padded-hash.

I would recommend using a high level library that provides a "sign message" function, like cryptlib or KeyCzar(if you can). These benefit from a lot more eyeballs than your code is likely to see, and take care of all the niggly padding issues and similar.

caf  2009-07-20 06:05:32
Encrypting the message is purely for obfuscation, yes. Is there a vulnerability in transmitting Enc[x] and Enc[Hash[x]]? I'm presuming not since the Hash is correctly (and heavily) padded. My implementation is based on the excellent public domain LibTomCrypt. I was using Wei Dai's CryptoPP but RSA signature with recovery seems to be unimplemented with the latest recommended signature schemes.
Dave Gamble  2009-07-20 12:10:29
Can't see any, again as long as you're veryifying all of the padding. I suggest sending it to the [email protected] list for more review.
caf  2009-07-20 12:59:11

related questions

Is there a standard implementation for Electronic Signatures on fill-in-form web applications?
Best way to handle block ciphers in C++? (Crypto++)
What is the best replacement for Windows' rand_s in Linux/POSIX?
Combination of more than one crypto algorithm
Encryption output always different even with same key
What techniques do you use when writing your own cryptography methods?
Optimize y = x*x in Galois field arithmetic
Best way to prevent duplicate use of credit cards
Enumerating Certificate Fields in C#
I'm using Wincrypt for Diffie-Hellman-- can I export the shared secret in plain text?
Cryptography algorithm
I have P & G-- how do I use the Wincrypt API to generate a Diffie-Hellman keypair?
Good primers on Cryptography
Should I use an initialization vector (IV) along with my encryption?
How do I hash a string with Delphi?
Inter-convertability of asymmetric key containers (eg: X.509, PGP, OpenSSH)
How to implement password protection for individual files?
Is Bouncy Castle API Thread Safe ?
128 bit data encryption using Java
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
App.config connection string Protection error
Is there a best .NET algorithm for credit card encryption?
How to encrypt one message for multiple recipients?
How can I generate a unique, small, random, and user-friendly key?
Why is an s-box input longer than its output?