Re: Decrypting RSA signature using public key fails

From: lelteto (lelteto_at_discussions.microsoft.com)
Date: 01/03/05

  • Next message: lelteto: "RE: importing private key globally to personal store"
    Date: Mon, 3 Jan 2005 09:31:02 -0800
    
    

    You can try to use any CRYPTOKI library which supports RAW RSA (ie.
    CKM_RSA_X_509). Than you need to use the public key to ENCRYPT your signature
    (yes, that's a 'hack' workaround) and verify the decrypted sturcture yourself.
    Another option is to use the OpenSSL library - but than you have to do more
    work with it...

    Laszlo Elteto
    Safenet, Inc.

    "Andrus Moor" wrote:

    > Valery,
    >
    > thank you for excellent explanation. There is no information about CAPI
    > providers in EMVCo website.
    >
    > What software you recommend to use for EMVV4 signature verification under
    > Windows ?
    >
    > Andrus.
    >
    >
    > "Valery Pryamikov" <Valery@nospam.harper.no> wrote in message
    > news:#bdZ5mb6EHA.2452@TK2MSFTNGP14.phx.gbl...
    > > Andrus,
    > > The only way of verifying EMVv4 signature with CAPI is to develop or use
    > 3-d
    > > party cryptography provider that support that kind of signature. If such
    > > provider become available you can simply use it with CAPI to do whatever
    > > verification or encryption is required by EMVv4.1 standard. In case if
    > EMVv4
    > > receive broader acceptation than prev. version, I'm sure that cryptography
    > > provider will be developed and provided by some party. Btw. did you check
    > if
    > > EMVCo is working with such provider or not? It is quite possible that they
    > > are doing something or even have a working provider for that matter.
    > > And regarding use of standard Microsoft cryptography providers (like
    > > "Microsoft Strong Cryptography provider") - you can't verify EMVCo
    > signature
    > > with them (not current version at least).
    > >
    > > -Valery.
    > > http://www.harper.no/valery
    > >
    > > P.S. Have a Merry Christmas and Happy New Year everyone!
    > >
    > > "Andrus Moor" <nospam@no.no> wrote in message
    > > news:uoz8t1a6EHA.3368@TK2MSFTNGP10.phx.gbl...
    > > > Laszlo,
    > > >
    > > > I need to verify EMVCO certificate signature S . with leght N=128
    > bytes
    > > > I know the modulus and modulus lenght from the certificate.
    > > > The verification method is described in www.emvco.com,
    > > > Book 2. Annex A2.1.3 :
    > > >
    > > > 1. Check whether the digital signature S consists of N bytes.
    > > > 2. Retrieve the N-byte number X from the digital signature S:
    > > > X = ( S**3 ) MOD n
    > > >
    > > > 3. Partition X as X= (B || MSG1 || H || E), where:
    > > > B is one byte long
    > > > H is 20 bytes long
    > > > E is one byte long
    > > > MSG1 consists of the remaining N - 22 bytes
    > > > 4. Check whether the byte B is equal to '6A'.
    > > > 5. Check whether the byte E is equal to 'BC'.
    > > > 6. Compute MSG = (MSG1 || MSG2) and check whether H = Hash[MSG].
    > > >
    > > > So the signature must start with 6A and end with BC
    > > >
    > > > From your reply I understood that CAPI is not capable to verify or even
    > > > decrypt this signature. This is very bad since EMVCO standard becomes
    > > > widely
    > > > usable in next years.
    > > >
    > > > Can you confirm again that CAPI does NOT support EMVCO signature
    > > > verification ?
    > > >
    > > > Andrus.
    > > >
    > > >> Anyway, you should NOT try to 'decrypt' a signature - you should use
    > the
    > > >> VERIFY operation.
    > > >> MS CAPI cannot 'just' decrypt the whole data - it always checks the
    > > > content
    > > >> format and returns only the actual data encrypted (not the whole
    > > >> padding).
    > > >> PKCS#11 can give you back the RAW decryption if you use it with
    > > >> CKM_RSA_X_509. With that you could actually 'cheat' and 'decrypt' your
    > > >> signature data then verify its format.
    > > >>
    > > >> Do you know if the signature was on a HASH? If yes, what is the point
    > of
    > > >> trying to 'decrypt' the signature? You either have the data and you can
    > > > hash
    > > >> it or if you only have the hash you can set - then use
    > > > CryptVerifySignature
    > > >> to verify the signature. (If the signature was made with CAPI than the
    > > >> content is definitely only hash - other crypto systems may have created
    > > >> signature with recovery where you want to get back your data which was
    > > >> signed; but that's not supported in CAPI.)
    > > >>
    > > >> Another note: I assume you generated yourself the RSA keypair and
    > somehow
    > > >> you KNOW that the public exponent is 3 - otherwise knowing 'just' the
    > > > modulus
    > > >> is not enough as public exponents 17 and 65537 are also used frequently
    > > > (and,
    > > >> in fact, arbitrary public exponent could be used, too). Most crypto
    > > > systems
    > > >> use the public exponent 65537 (not 3 or 17).
    > > >
    > > >
    > >
    > >
    >
    >
    >


  • Next message: lelteto: "RE: importing private key globally to personal store"

    Relevant Pages

    • Re: FlexiProvider: an open source cryptography provider for the JCA/JCE
      ... >> With this email we would like to introduce the FlexiProvider, ... >> source cryptography service provider for the Java Cryptography ... It currently includes the following algorithms: ... More portable (i.e. provider independent) is to search the list of keys ...
      (sci.crypt)
    • Re: FlexiProvider: an open source cryptography provider for the JCA/JCE
      ... >> With this email we would like to introduce the FlexiProvider, ... >> source cryptography service provider for the Java Cryptography ... It currently includes the following algorithms: ... More portable (i.e. provider independent) is to search the list of keys ...
      (sci.crypt)
    • Secure Science Corporation Advisory CSA-056
      ... Secure Science Corporation Advisory CSA-056 ... with ECC keys, allowing trivial signature forgeries. ... Cryptography - arbitrary message signing ...
      (Bugtraq)
    • Re: Decrypting RSA signature using public key fails
      ... There is no information about CAPI ... What software you recommend to use for EMVV4 signature verification under ... > party cryptography provider that support that kind of signature. ... > EMVCo is working with such provider or not? ...
      (microsoft.public.platformsdk.security)
    • Re: Decrypting RSA signature using public key fails
      ... The only way of verifying EMVv4 signature with CAPI is to develop or use 3-d ... party cryptography provider that support that kind of signature. ... "Microsoft Strong Cryptography provider") - you can't verify EMVCo signature ...
      (microsoft.public.platformsdk.security)