I am not familar with DSA/ECDSA in depth. That's I want to ask why DSA/ ECDSA can't be applied for Digital signature scheme 1 described in ISO/ IEC 9796-2?
I have the following point of view. 1. There is the RFID-chip that has public/private key pair. Terminal can read public key and algorithm's type used to perform Active Authentication. 2. Terminal sends some random data to the RFID-chip. This random data represents non-recoverable part of the message(M2 in ISO/IEC 9796-2). 3. RFID-chip generates M1 and signs message M = [M1 | M2] as described in the standard. Sends result to the terminal. 4. Terminal can restore MessageRepresentative using public key and verify the signature. What's wrong? What step can't be performed using DSA/ECDSA? On 22 окт, 15:25, "Wei Dai" <[email protected]> wrote: > Sorry, but I really don't see any possible way that ISO/IEC FDIS 9796-2 > could apply to DSA/ECDSA. They just don't work the same way, and the > discrete log based SSRs are in general very different from factorisation > based ones. > > Please trust me on this, and look for some other explanation. > > -------------------------------------------------- > From: "Alexei" <[email protected]> > Sent: Thursday, October 22, 2009 4:19 AM > To: "Crypto++ Users" <[email protected]> > Cc: "Wei Dai" <[email protected]>; "Alexei" <[email protected]> > Subject: Re: Get MessageRepresentative from signature > > > > > > > As I understand Digital signature scheme described in ISO/IEC FDIS > > 9796-2 can be implemented independent on signature generation > > algorithm. Currently I have implemented only support of RSA. We have > > sample ePassports with support of Active Authentication and all of > > them use scheme based on RSA. > > > I have looked at section 3.3.2. Recommendation about using RSA-PSS > > applies for signature generation of certificates and Document Security > > object of RFID-chip. In Active Authentication is used simple RSA. > > > We have tried to contact with authors of the document about some other > > questions but haven't got answer yet. > > > On 22 окт, 15:06, "Wei Dai" <[email protected]> wrote: > >> I'm pretty sure there's an error or misunderstanding on someone's part. > >> Part > >> of the title of ISO/IEC FDIS 9796-2 is "Part 2: Integer factorisation > >> based > >> mechanisms" and DSA/ECDSA are not factorisation based! > > >> Also, if you look at section 3.3.2 of that ICAO document, it says that > >> for > >> RSA you should use RSASSA-PSS, which is different from ISO/IEC FDIS > >> 9796-2's > >> Digital Signature Scheme 1. I don't have time to read through this > >> document > >> and figure out what is going on. Can you ask someone who is more familiar > >> with this standard (maybe its authors?). > > >> -------------------------------------------------- > >> From: "Alexei" <[email protected]> > >> Sent: Thursday, October 22, 2009 3:57 AM > >> To: "Crypto++ Users" <[email protected]> > >> Subject: Re: Get MessageRepresentative from signature > > >> > I am implementing software for reader of ICAO-compliant e-Passport. In > >> > this document > >> >http://www.csca-si.gov.si/TR-PKI_mrtds_ICC_read-only_access_v1_1.pdf > >> > specified procedure Active Authentication and some its requirements. > >> > Active Authentication is procedure described in ISO/IEC 9796-2, > >> > Digital signature scheme 1. > > >> > Document above gives recommendations for key's size. If you look from > >> > page 23 then you see that recommendations are given for Active > >> > Authentication's keys with RSA, DSA and ECDSA. > > >> > On 22 окт, 14:14, "Wei Dai" <[email protected]> wrote: > >> >> After looking at that standard, I don't think you're supposed to use > >> >> it > >> >> with > >> >> DSA or ECDSA, but only with RSA or RW. Also, it's not secure. > >> >> Seehttp://eprint.iacr.org/2009/203.pdf. > > >> >> Why do you have to implement this? > > >> >> -------------------------------------------------- > >> >> From: "Alexei" <[email protected]> > >> >> Sent: Thursday, October 22, 2009 3:01 AM > >> >> To: "Crypto++ Users" <[email protected]> > >> >> Subject: Re: Get MessageRepresentative from signature > > >> >> > ISO/IEC FDIS 9796-2 draft you can take for a free > >> >> >http://isotctest.iso.org/livelink/livelink/4459194/SC27N3032_Text_for... > >> >> > In this document verification scheme is described correctly. > > >> >> > Yes, it is signature scheme with message recovery. To verify > >> >> > signature > >> >> > the following steps should be performed: > >> >> > 1. Decrypt signature(get MessageRepresentative). Message > >> >> > representative in Digital signature scheme 1 consists of [Start byte > >> >> > | > >> >> > recoverable part of Message | hash(Message) | trailing byte(s)] > >> >> > 2. Construct Message* = [recoverable part of Message | > >> >> > non-recoverable > >> >> > part of Message] > >> >> > 3. Check that hash(Message) from signature is equal to > >> >> > hash(Message*). > > >> >> > In Internet I have seen only once that somebody had the same problem > >> >> >http://www.groupsrv.com/science/about117544.html > > >> >> > On 22 окт, 12:28, "Wei Dai" <[email protected]> wrote: > >> >> >> I'm not familiar with ISO/IEC FDIS 9796-2, and I can't find much > >> >> >> information > >> >> >> about it (without paying to buy the standard). Is it some kind of > >> >> >> signature > >> >> >> scheme with message recovery (SSR)? I never really finished > >> >> >> implementing > >> >> >> support for discrete log-based SSR in Crypto++ (and nobody has > >> >> >> complained > >> >> >> about that before), so the only way to do it is to write your own > >> >> >> code > >> >> >> directly on top of the Integer and elliptic curve classes. You can > >> >> >> try > >> >> >> to > >> >> >> reuse DL_Algorithm_GDSA in gfpcrypt.h, or copy the code out and > >> >> >> build > >> >> >> on > >> >> >> top > >> >> >> of that. > > >> >> >> Or, if you want to try to finish the DL SSR framework in Crypto++, > >> >> >> take a > >> >> >> look at DL_VerifierBase::RecoverAndRestart() in pubkey.h. But > >> >> >> unlike > >> >> >> with > >> >> >> RSA, message recovery with discrete log based schemes is > >> >> >> complicated > >> >> >> and > >> >> >> ultimately kind of pointless. > > >> >> >> -------------------------------------------------- > >> >> >> From: "Alexei" <[email protected]> > >> >> >> Sent: Thursday, October 22, 2009 12:53 AM > >> >> >> To: "Crypto++ Users" <[email protected]> > >> >> >> Subject: Get MessageRepresentative from signature > > >> >> >> > Hello! > > >> >> >> > I am implementing Digital signature scheme 1 described in ISO/IEC > >> >> >> > FDIS > >> >> >> > 9796-2. I have signature in binary form and public key. > >> >> >> > I know, how to get MessageRepresentative in case of RSA: call > >> >> >> > member > >> >> >> > ApplyFunction(...) of CryptoPP::RSA::PublicKey-object. > >> >> >> > But I don't know how to get MessageRepresentative in case of DSA > >> >> >> > and > >> >> >> > ECDSA... What I should do? Is their any general way to get > >> >> >> > MessageRepresentative independent on type of public key?- Скрыть > >> >> >> > цитируемый текст - > > >> >> >> - Показать цитируемый текст -- Скрыть цитируемый текст - > > >> >> - Показать цитируемый текст -- Скрыть цитируемый текст - > > >> - Показать цитируемый текст -- Скрыть цитируемый текст - > > - Показать цитируемый текст - --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. -~----------~----~----~----~------~----~------~--~---
