On 10/8/2011 3:39 PM, Rick Lopes de Souza wrote:
Hi all,
This week i was in doubt to implemment some methods to sign using
OpenSSL. I know that RSA needs the hash algorithm to do the padding
scheme and ECDSA doesn't need.
ECDSA (and regular DSA) on the other hand needs a hash scheme satisfying
the following two absolute criteria:
1. The size of the hash value is exactly the size of the private key
(which is
half the size of the public key and also half the size of the signature).
Example: 192 bit ECDSA and DSA with a 192 bit "subgroup" only works
with 192 bit hash algorithms (such as Tiger), has a 192 bit private key,
a 384 bit public key and creates a 384 bit signature.
2. The hash algorithm is specified along with the public key, and that
public/private key pair is never used with any other hash algorithm.
Example: If you create a private/public key pair for use with Tiger,
you will need a different public/private key pair for use with
192-bit-truncated-SHA-224.
Another thing that i know is that RSA can only sign things that are
smaller than the size of the key used. I can imagine that the encrypt
process follows the same idea.
RSA can only sign messages whose hash is smaller than the size of the key
used.
RSA with PKCS#1 v1.0 padding can only sign messages whose hash size
plus the size of the OID of the hash algorithm plus a little extra is
smaller
than the size of the key used.
RSA with PKCS#1 v2.0 padding can only sign messages whose hash size
plus a little extra is less than half the size of the key used.
I know that to sign, i have to take a hash of some document or message
but, theoretically, i could encrypt any document? The padding scheme
would shrink the message and them could reveal the same message after
deciphering?
The padding scheme would grow the message to fill out the key size.
Putting the message directly into the padding scheme is only safe for some
RSA padding schemes, as some padding schemes are safe only if the message
is a completely random bit string not known to the enemy (secret
encryption keys
are usually such strings, actual messages are usually not).
Therefore putting the message directly into the RSA padding scheme is done
only when every single bit of total transmission size matters.
But the padding schemes only work with messages so much shorter than the
RSA key that the bytes saved would be almost nothing compared to the
overhead
of sending the RSA encrypted blob itself. So it almost never makes sense.
My doubt is: and ECDSA? Does it has the same features? I know it
doesn't needs the hash algorithm, but the message needs to be smaller
than the size of the key? ECDSA signs a message with any size?
Example: an ecdsa key with 192 bits signing a hash sha 512. It could
be signed or it is wrong?
As explained above, 192 bit DSA and ECDSA only works with 192 bit
hashes (and only one hash algorithm is allowed for each private/public
key pair).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
