Thank you.
On 22 окт, 16:10, "Wei Dai" <[email protected]> wrote:
> It's the fourth step. If you take a look
> athttp://en.wikipedia.org/wiki/Digital_Signature_Algorithm#Verifying, there is
> no step where a message representative is restored.
>
> --------------------------------------------------
> From: "Alexei" <[email protected]>
> Sent: Thursday, October 22, 2009 4:39 AM
> To: "Crypto++ Users" <[email protected]>
> Subject: Re: Get MessageRepresentative from signature
>
>
>
>
>
> > I am not familar with DSA/ECDSA in depth. That's I want to ask why DSA/
> > ECDSA can't be applied for Digital signature scheme 1 described in ISO/
> > IEC 9796-2?
>
> > I have the following point of view.
> > 1. There is the RFID-chip that has public/private key pair. Terminal
> > can read public key and algorithm's type used to perform Active
> > Authentication.
> > 2. Terminal sends some random data to the RFID-chip. This random data
> > represents non-recoverable part of the message(M2 in ISO/IEC 9796-2).
> > 3. RFID-chip generates M1 and signs message M = [M1 | M2] as described
> > in the standard. Sends result to the terminal.
> > 4. Terminal can restore MessageRepresentative using public key and
> > verify the signature.
>
> > What's wrong? What step can't be performed using DSA/ECDSA?
>
> > On 22 окт, 15:25, "Wei Dai" <[email protected]> wrote:
> >> Sorry, but I really don't see any possible way that ISO/IEC FDIS 9796-2
> >> could apply to DSA/ECDSA. They just don't work the same way, and the
> >> discrete log based SSRs are in general very different from factorisation
> >> based ones.
>
> >> Please trust me on this, and look for some other explanation.
>
> >> --------------------------------------------------
> >> From: "Alexei" <[email protected]>
> >> Sent: Thursday, October 22, 2009 4:19 AM
> >> To: "Crypto++ Users" <[email protected]>
> >> Cc: "Wei Dai" <[email protected]>; "Alexei" <[email protected]>
> >> Subject: Re: Get MessageRepresentative from signature
>
> >> > As I understand Digital signature scheme described in ISO/IEC FDIS
> >> > 9796-2 can be implemented independent on signature generation
> >> > algorithm. Currently I have implemented only support of RSA. We have
> >> > sample ePassports with support of Active Authentication and all of
> >> > them use scheme based on RSA.
>
> >> > I have looked at section 3.3.2. Recommendation about using RSA-PSS
> >> > applies for signature generation of certificates and Document Security
> >> > object of RFID-chip. In Active Authentication is used simple RSA.
>
> >> > We have tried to contact with authors of the document about some other
> >> > questions but haven't got answer yet.
>
> >> > On 22 окт, 15:06, "Wei Dai" <[email protected]> wrote:
> >> >> I'm pretty sure there's an error or misunderstanding on someone's
> >> >> part.
> >> >> Part
> >> >> of the title of ISO/IEC FDIS 9796-2 is "Part 2: Integer factorisation
> >> >> based
> >> >> mechanisms" and DSA/ECDSA are not factorisation based!
>
> >> >> Also, if you look at section 3.3.2 of that ICAO document, it says that
> >> >> for
> >> >> RSA you should use RSASSA-PSS, which is different from ISO/IEC FDIS
> >> >> 9796-2's
> >> >> Digital Signature Scheme 1. I don't have time to read through this
> >> >> document
> >> >> and figure out what is going on. Can you ask someone who is more
> >> >> familiar
> >> >> with this standard (maybe its authors?).
>
> >> >> --------------------------------------------------
> >> >> From: "Alexei" <[email protected]>
> >> >> Sent: Thursday, October 22, 2009 3:57 AM
> >> >> To: "Crypto++ Users" <[email protected]>
> >> >> Subject: Re: Get MessageRepresentative from signature
>
> >> >> > I am implementing software for reader of ICAO-compliant e-Passport.
> >> >> > In
> >> >> > this document
> >> >> >http://www.csca-si.gov.si/TR-PKI_mrtds_ICC_read-only_access_v1_1.pdf
> >> >> > specified procedure Active Authentication and some its requirements.
> >> >> > Active Authentication is procedure described in ISO/IEC 9796-2,
> >> >> > Digital signature scheme 1.
>
> >> >> > Document above gives recommendations for key's size. If you look
> >> >> > from
> >> >> > page 23 then you see that recommendations are given for Active
> >> >> > Authentication's keys with RSA, DSA and ECDSA.
>
> >> >> > On 22 окт, 14:14, "Wei Dai" <[email protected]> wrote:
> >> >> >> After looking at that standard, I don't think you're supposed to
> >> >> >> use
> >> >> >> it
> >> >> >> with
> >> >> >> DSA or ECDSA, but only with RSA or RW. Also, it's not secure.
> >> >> >> Seehttp://eprint.iacr.org/2009/203.pdf.
>
> >> >> >> Why do you have to implement this?
>
> >> >> >> --------------------------------------------------
> >> >> >> From: "Alexei" <[email protected]>
> >> >> >> Sent: Thursday, October 22, 2009 3:01 AM
> >> >> >> To: "Crypto++ Users" <[email protected]>
> >> >> >> Subject: Re: Get MessageRepresentative from signature
>
> >> >> >> > ISO/IEC FDIS 9796-2 draft you can take for a free
> >> >> >> >http://isotctest.iso.org/livelink/livelink/4459194/SC27N3032_Text_for...
> >> >> >> > In this document verification scheme is described correctly.
>
> >> >> >> > Yes, it is signature scheme with message recovery. To verify
> >> >> >> > signature
> >> >> >> > the following steps should be performed:
> >> >> >> > 1. Decrypt signature(get MessageRepresentative). Message
> >> >> >> > representative in Digital signature scheme 1 consists of [Start
> >> >> >> > byte
> >> >> >> > |
> >> >> >> > recoverable part of Message | hash(Message) | trailing byte(s)]
> >> >> >> > 2. Construct Message* = [recoverable part of Message |
> >> >> >> > non-recoverable
> >> >> >> > part of Message]
> >> >> >> > 3. Check that hash(Message) from signature is equal to
> >> >> >> > hash(Message*).
>
> >> >> >> > In Internet I have seen only once that somebody had the same
> >> >> >> > problem
> >> >> >> >http://www.groupsrv.com/science/about117544.html
>
> >> >> >> > On 22 окт, 12:28, "Wei Dai" <[email protected]> wrote:
> >> >> >> >> I'm not familiar with ISO/IEC FDIS 9796-2, and I can't find much
> >> >> >> >> information
> >> >> >> >> about it (without paying to buy the standard). Is it some kind
> >> >> >> >> of
> >> >> >> >> signature
> >> >> >> >> scheme with message recovery (SSR)? I never really finished
> >> >> >> >> implementing
> >> >> >> >> support for discrete log-based SSR in Crypto++ (and nobody has
> >> >> >> >> complained
> >> >> >> >> about that before), so the only way to do it is to write your
> >> >> >> >> own
> >> >> >> >> code
> >> >> >> >> directly on top of the Integer and elliptic curve classes. You
> >> >> >> >> can
> >> >> >> >> try
> >> >> >> >> to
> >> >> >> >> reuse DL_Algorithm_GDSA in gfpcrypt.h, or copy the code out and
> >> >> >> >> build
> >> >> >> >> on
> >> >> >> >> top
> >> >> >> >> of that.
>
> >> >> >> >> Or, if you want to try to finish the DL SSR framework in
> >> >> >> >> Crypto++,
> >> >> >> >> take a
> >> >> >> >> look at DL_VerifierBase::RecoverAndRestart() in pubkey.h. But
> >> >> >> >> unlike
> >> >> >> >> with
> >> >> >> >> RSA, message recovery with discrete log based schemes is
> >> >> >> >> complicated
> >> >> >> >> and
> >> >> >> >> ultimately kind of pointless.
>
> >> >> >> >> --------------------------------------------------
> >> >> >> >> From: "Alexei" <[email protected]>
> >> >> >> >> Sent: Thursday, October 22, 2009 12:53 AM
> >> >> >> >> To: "Crypto++ Users" <[email protected]>
> >> >> >> >> Subject: Get MessageRepresentative from signature
>
> >> >> >> >> > Hello!
>
> >> >> >> >> > I am implementing Digital signature scheme 1 described in
> >> >> >> >> > ISO/IEC
> >> >> >> >> > FDIS
> >> >> >> >> > 9796-2. I have signature in binary form and public key.
> >> >> >> >> > I know, how to get MessageRepresentative in case of RSA: call
> >> >> >> >> > member
> >> >> >> >> > ApplyFunction(...) of CryptoPP::RSA::PublicKey-object.
> >> >> >> >> > But I don't know how to get MessageRepresentative in case of
> >> >> >> >> > DSA
> >> >> >> >> > and
> >> >> >> >> > ECDSA... What I should do? Is their any general way to get
> >> >> >> >> > MessageRepresentative independent on type of public key?-
> >> >> >> >> > Скрыть
> >> >> >> >> > цитируемый текст -
>
> >> >> >> >> - Показать цитируемый текст -- Скрыть цитируемый текст -
>
> >> >> >> - Показать цитируемый текст -- Скрыть цитируемый текст -
>
> >> >> - Показать цитируемый текст -- Скрыть цитируемый текст -
>
> >> - Показать цитируемый текст -- Скрыть цитируемый текст -
>
> - Показать цитируемый текст -
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the "Crypto++ Users"
Google Group.
To unsubscribe, send an email to [email protected].
More information about Crypto++ and this group is available at
http://www.cryptopp.com.
-~----------~----~----~----~------~----~------~--~---
