RSA-MD5 Signature Suite - Version 1.0
RSA is a public-key cryptosystem for both encryption and authentication. Thissignature suite specifies how it is used with the MD5 hash function to sign a PICSlabel per the DSig 1.0 Specification.
Overview
This signature suite uses for hashing
The MD5 Message Digest Algorithm, R.L. Rivest, RFC 1321, April 1992
and for encryption
The RSA Encryption Algorithm, R.L. Rivest, A. Shamir, L.M. Adleman, "A method of Obtaining Digital Signatures and Public-Key Cryptosystems", Communications of the ACM, v. 21, n. 2, Feb. 1978, pp 120-126.
See AlsoSha 256 With Rsa Encryption
RSA Overview
RSA is a public-key cryptosystem for both encryption and authentication; it wasinvented in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman [RSA78]. Details on thealgorithm can be found in various places. RSA is combined with the MD5 hashing function tosign a message in this signature suite. It must be infeasible for anyone to either find amessage that hashes to a given value or to find two messages that hash to the same value.If either were feasible, an intruder could attach a false message onto Alice's signature.The hash functions MD5 has been designed specifically to have the property that finding amatch is infeasible, and is therefore considered suitable for use in this role.
One or more certificates may accompany a digital signature. A certificate is a signeddocument that binds the public key to the identity of a party. Its purpose is to preventsomeone from impersonating someone else. If a certificate is present, the recipient (or athird party) can check that the public key belongs to a named party, assuming thecertifier's public key is itself trusted. These certificates can be held in theAttribution Information section of the DSig 1.0 Signature Block Extension and thus passedalong with the signature to aid in validating it. (See section Attribution Informationsection in the DSig 1.0Specification.)
The signature section of the DSig 1.0 Signature Block Extension is defined in the DSig1.0 Specification. For the RSA-MD5 signature suite, the signature section has thefollowing required and optional fields.
Encoding
All values are encoded using the standard base-64 representation of a byte-arraycontaining the two's-complement representation of the value to encode. The first byte inthis array is the high-order byte. The minimal number of bytes necessary is used torepresent a certain value, so no leading zero-bytes are allowed.
Required Fields
The general specification allows for four variants on how to specify what key has beenused for signing, or rather what key is to be used for verifying the signature: ByKey,ByHash, ByName and ByCert. The signature suite specs are to specify what forms aremandatory or optional. For this signature-suite, exactly one of ByKey, ByHash, ByName andByCert have to be present. It is assumed, that in all cases where one or more certificatesare stored in the attribution-section, a reference to one of these certificates isappropriate, and the ByHash-method can be used. If no certificates are available, eitherthe ByKey-method is appropriate, or ByName/ByCert may be used, if online search orretrieval is reasonably available.
- "ByKey" - key value for validating a signature
- The token "ByKey" identifies the value that follows as the key that should be used to validate the signature (or sufficient information to generate that key locally).
( "ByKey" <Key-Value, Signature-Suite dependent> )
- Within the RSA-MD5 signature suite, the key values are:
( "ByKey" ( "E" "base64-encoded-public-exponent" ) ( "N" "base64-encoded-modulus" ))
L(Modulus),V(Modulus),L(Exponent),V(Exponent) where
L(x) is the length of x in bits and
V(x) is the value of x as an array of bytes, high byte first
"ByHash" - key value for validating a signature
The token "ByHash" identifies the value that follows as the MD5-hash of the key that should be used to validate the signature.
( "ByHash" "base-64-encoded-hash-of-key" )
The hash-value is calculated from the concatenation of the following information:
If the length of one element is less than or equal to 127, the length-value L(x) is exactly one byte with the
length as value. If the length is larger than 127, but less than 32767, the length-value consists of 3 bytes, one with the value 82 hexadecimal, the other two contain the length as a 16-bit integer, high byte first. A length > 32767 is not supported.
ByName - referencing the key value for validating a signature by name
The token "ByName" identifies the value that follows as the name of the entity that has generated the signature. It should be used to identify the public key necessary to validate the signature.
( "ByName" "Name-as-string-value" )
It can be used as a pointer to one of the certificates in the attribution information section, or be used to fetch a certificate from a local certificate-repository or an online-retrieval service. The format of the value depends on the certificate-system used, and can be a distinguished name from an X.509-field, an email-address or some other string value. ByName should be avoided, if searching the certificates given is likely to result in ambiguity.
ByCert - referencing the key value for validating a signature bycertificate
The token "ByCert" identifies the value that follows as a pointer to a certificate. It should be used to identify the public key necessary to validate the signature.
( "ByCert" ( "CA-Name-as-string-value" <CA-Serial-No.> ) )
It can be used as a pointer to one of the certificates in the attribution information section, or be used to fetch a certificate from a local certificate-repository or an online-retrieval service. The format of the value depends on the certificate-system used, and has to be specified in the Certificate Family Identifiers- Documents.
- "SigCrypto" - signature cryptographic data
- The "SigCrypto" token identifies the SigData field that contains the cryptographic data that is the signature itself. The format and contents of this field are:
("SigCrypto" "base64-encoded-RSAMD5-signature")
- For signing, the MD5-hash is padded according to PKCS#1, section 8.1, using block-type 01. Specifically, the encryption-block EB is calculated as follows:
EB = 00 || 01 || PS || 00 || MD5-Hash
- where PS is a padding-string consisting of K-19 octets having value FF, where K is the size of the modulus in octets.
Optional Fields
All common fields in the DSig Label spec are applicable in this Signature Suite specification.
Example
("Signature" "http://www.w3.org/PICS/DSig/RSA-MD5_1_0.html" ("ByKey" (("N" "aba21241241=") ("E" "abcdefghijklmnop="))) ("SigCrypto" "aba1241241==") ("on" "1996.12.02T22:20-0000") ("exclude" ("extensions" "http://foo/badextension.html")))
Philip A. DesAutels, DSig Project Manager 9 Oct 97
Peter Lipp Feb. 1998