On Mon, Mar 30, 2009 at 01:57:21PM -0700, David Schwartz wrote:
> > When I sign the same hash with the same certificate I should get the same
> > signature. That sounds pretty logical to me.
>
> Really? So if you sign the same contract twice, the two signatures will be
> precisely identical?
Well, signatures do come out the same with the traditional RSA PKCS#1
padding modes. So users have learned to expect this. It is not so absurd
that they do. We can explain why signatures are not always the same,
without making fun of them.
Signatures using DSA or ECDSA keys always use random nonces as part of
the signature, and so a second signature of the same document will not
be the same. The same is true of newer RSA signature modes, improving
the security of RSA signatures.
Finally, there are shared-secret message authentication codes (MACs),
in which both parties do compute the a signature (with the same secret
key) and compare the signatures. The most common algorithm in this space
is HMAC-SHA1. With HMAC-SHA1 the signature is indeed expected to be the
same all the time, as the only verification algorithm is independent
computation of the signature.
Of course to prevent HMAC replay attacks, messages should contain nonces,
but with protocols using shared secret HMAC signatures, the nonce is
considered to be part of the message rather than the signature algorithm.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
