As I understand Digital signature scheme described in ISO/IEC FDIS 9796-2 can be implemented independent on signature generation algorithm. Currently I have implemented only support of RSA. We have sample ePassports with support of Active Authentication and all of them use scheme based on RSA.
I have looked at section 3.3.2. Recommendation about using RSA-PSS applies for signature generation of certificates and Document Security object of RFID-chip. In Active Authentication is used simple RSA. We have tried to contact with authors of the document about some other questions but haven't got answer yet. On 22 окт, 15:06, "Wei Dai" <[email protected]> wrote: > I'm pretty sure there's an error or misunderstanding on someone's part. Part > of the title of ISO/IEC FDIS 9796-2 is "Part 2: Integer factorisation based > mechanisms" and DSA/ECDSA are not factorisation based! > > Also, if you look at section 3.3.2 of that ICAO document, it says that for > RSA you should use RSASSA-PSS, which is different from ISO/IEC FDIS 9796-2's > Digital Signature Scheme 1. I don't have time to read through this document > and figure out what is going on. Can you ask someone who is more familiar > with this standard (maybe its authors?). > > -------------------------------------------------- > From: "Alexei" <[email protected]> > Sent: Thursday, October 22, 2009 3:57 AM > To: "Crypto++ Users" <[email protected]> > Subject: Re: Get MessageRepresentative from signature > > > > > > > I am implementing software for reader of ICAO-compliant e-Passport. In > > this document > >http://www.csca-si.gov.si/TR-PKI_mrtds_ICC_read-only_access_v1_1.pdf > > specified procedure Active Authentication and some its requirements. > > Active Authentication is procedure described in ISO/IEC 9796-2, > > Digital signature scheme 1. > > > Document above gives recommendations for key's size. If you look from > > page 23 then you see that recommendations are given for Active > > Authentication's keys with RSA, DSA and ECDSA. > > > On 22 окт, 14:14, "Wei Dai" <[email protected]> wrote: > >> After looking at that standard, I don't think you're supposed to use it > >> with > >> DSA or ECDSA, but only with RSA or RW. Also, it's not secure. > >> Seehttp://eprint.iacr.org/2009/203.pdf. > > >> Why do you have to implement this? > > >> -------------------------------------------------- > >> From: "Alexei" <[email protected]> > >> Sent: Thursday, October 22, 2009 3:01 AM > >> To: "Crypto++ Users" <[email protected]> > >> Subject: Re: Get MessageRepresentative from signature > > >> > ISO/IEC FDIS 9796-2 draft you can take for a free > >> >http://isotctest.iso.org/livelink/livelink/4459194/SC27N3032_Text_for... > >> > In this document verification scheme is described correctly. > > >> > Yes, it is signature scheme with message recovery. To verify signature > >> > the following steps should be performed: > >> > 1. Decrypt signature(get MessageRepresentative). Message > >> > representative in Digital signature scheme 1 consists of [Start byte | > >> > recoverable part of Message | hash(Message) | trailing byte(s)] > >> > 2. Construct Message* = [recoverable part of Message | non-recoverable > >> > part of Message] > >> > 3. Check that hash(Message) from signature is equal to hash(Message*). > > >> > In Internet I have seen only once that somebody had the same problem > >> >http://www.groupsrv.com/science/about117544.html > > >> > On 22 окт, 12:28, "Wei Dai" <[email protected]> wrote: > >> >> I'm not familiar with ISO/IEC FDIS 9796-2, and I can't find much > >> >> information > >> >> about it (without paying to buy the standard). Is it some kind of > >> >> signature > >> >> scheme with message recovery (SSR)? I never really finished > >> >> implementing > >> >> support for discrete log-based SSR in Crypto++ (and nobody has > >> >> complained > >> >> about that before), so the only way to do it is to write your own code > >> >> directly on top of the Integer and elliptic curve classes. You can try > >> >> to > >> >> reuse DL_Algorithm_GDSA in gfpcrypt.h, or copy the code out and build > >> >> on > >> >> top > >> >> of that. > > >> >> Or, if you want to try to finish the DL SSR framework in Crypto++, > >> >> take a > >> >> look at DL_VerifierBase::RecoverAndRestart() in pubkey.h. But unlike > >> >> with > >> >> RSA, message recovery with discrete log based schemes is complicated > >> >> and > >> >> ultimately kind of pointless. > > >> >> -------------------------------------------------- > >> >> From: "Alexei" <[email protected]> > >> >> Sent: Thursday, October 22, 2009 12:53 AM > >> >> To: "Crypto++ Users" <[email protected]> > >> >> Subject: Get MessageRepresentative from signature > > >> >> > Hello! > > >> >> > I am implementing Digital signature scheme 1 described in ISO/IEC > >> >> > FDIS > >> >> > 9796-2. I have signature in binary form and public key. > >> >> > I know, how to get MessageRepresentative in case of RSA: call member > >> >> > ApplyFunction(...) of CryptoPP::RSA::PublicKey-object. > >> >> > But I don't know how to get MessageRepresentative in case of DSA and > >> >> > ECDSA... What I should do? Is their any general way to get > >> >> > MessageRepresentative independent on type of public key?- Скрыть > >> >> > цитируемый текст - > > >> >> - Показать цитируемый текст -- Скрыть цитируемый текст - > > >> - Показать цитируемый текст -- Скрыть цитируемый текст - > > - Показать цитируемый текст - --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. -~----------~----~----~----~------~----~------~--~---
