Re: Decrypting RSA signature using public key fails

From: Andrus Moor (nospam_at_no.no)
Date: 12/24/04 

Date: Fri, 24 Dec 2004 13:40:44 +0200

Laszlo,

I need to verify EMVCO certificate signature S . with leght N=128 bytes
I know the modulus and modulus lenght from the certificate.
The verification method is described in www.emvco.com,
Book 2. Annex A2.1.3 :

1. Check whether the digital signature S consists of N bytes.
2. Retrieve the N-byte number X from the digital signature S:
      X = ( S**3 ) MOD n

3. Partition X as X= (B || MSG1 || H || E), where:
  B is one byte long
  H is 20 bytes long
  E is one byte long
  MSG1 consists of the remaining N – 22 bytes
4. Check whether the byte B is equal to '6A'.
5. Check whether the byte E is equal to 'BC'.
6. Compute MSG = (MSG1 || MSG2) and check whether H = Hash[MSG].

So the signature must start with 6A and end with BC

>From your reply I understood that CAPI is not capable to verify or even
decrypt this signature. This is very bad since EMVCO standard becomes widely
usable in next years.

Can you confirm again that CAPI does NOT support EMVCO signature
verification ?

Andrus.

> Anyway, you should NOT try to 'decrypt' a signature - you should use the
> VERIFY operation.
> MS CAPI cannot 'just' decrypt the whole data - it always checks the
content
> format and returns only the actual data encrypted (not the whole padding).
> PKCS#11 can give you back the RAW decryption if you use it with
> CKM_RSA_X_509. With that you could actually 'cheat' and 'decrypt' your
> signature data then verify its format.
>
> Do you know if the signature was on a HASH? If yes, what is the point of
> trying to 'decrypt' the signature? You either have the data and you can
hash
> it or if you only have the hash you can set - then use
CryptVerifySignature
> to verify the signature. (If the signature was made with CAPI than the
> content is definitely only hash - other crypto systems may have created
> signature with recovery where you want to get back your data which was
> signed; but that's not supported in CAPI.)
>
> Another note: I assume you generated yourself the RSA keypair and somehow
> you KNOW that the public exponent is 3 - otherwise knowing 'just' the
modulus
> is not enough as public exponents 17 and 65537 are also used frequently
(and,
> in fact, arbitrary public exponent could be used, too). Most crypto
systems
> use the public exponent 65537 (not 3 or 17).

Relevant Pages

  • Re: how can we restrict what certificate WSE will use?
    ... > X509SecurityTokenManager to verify the request is from a trusted client. ... > certificate to build a valid signature and encrypted data section. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Keyed hash vs Digital signature ????
    ... For DSIGs you usually use certificates. ... Otherwise it is not possible to verify that you are really using the right public key ... Certs can be made available in various ways - e.g. you can embed them in the signature, make them downloadable and so forth. ... I have understand that hashing a file with a keyed Hash class, ...
    (microsoft.public.dotnet.security)
  • RE: problem verifying XML signature
    ... I've just tried to verify your signature using v2.0, ...
    (microsoft.public.dotnet.security)
  • Re: Check EXE for MY signature only
    ... signature - but at least the code-signing certificate would reveal WHO ... I am trying to figure out how to verify that a dll is signed by my own ... I should probably compare the public key, ...
    (microsoft.public.platformsdk.security)
  • problem verifying XML signature
    ... I have tried verifying the signature with Microsoft SignedXml class ... internal error while attempting to verify the signature. ...
    (microsoft.public.dotnet.security)