Chapter 7 Public-Key Operations 233
MultiPrime
RSA Digital Signatures
The section “Authentication and Digital Signatures” on page 57 discusses what a
digital signature is. This section describes how to write Crypto-C code that computes
or verifies digital signatures. For signing, Crypto-C offers
B_SignInit, B_SignUpdate,
and
B_SignFinal, which will digest the data and encrypt the digest using RSA
encryption with a private key. For verification, Crypto-C offers
B_VerifyInit,
B_VerifyUpdate, and B_VerifyFinal, which will digest the data again, decrypt the
signature with the RSA public key, and compare the digest to the decrypted
signature.
Note that you cannot use the
Sign and Verify functions if you do not want to digest
the data. Some applications may not call for a digest; they may demand that the
signature be the actual data encrypted with a private key. This is the case with some
forms of authentication, for instance. In other cases, the data passed to the application
has already been digested. In such an application, encrypt using
AI_PKCS_RSAPrivate
or
AI_RSAPrivate; do not follow the model outlined here.
A digital signature is actually not the private-key encrypted digest of the data, but the
private-key encrypted BER-encoding of the digest. (Remember that when you
“encrypt” using the private key, you are actually following the same steps you use for
decryption, even though you apply them to a plaintext file.) When you are using
SHA1, this means the input data will be 35 bytes, not 20. The “encryption” follows the
PKCS standards, so the data must be at least 11 bytes shorter than the modulus.
Hence, the modulus must be at least 46 bytes (368 bits) for computing digital
signatures using SHA1 as the digesting algorithm.
The example in this section corresponds to the file
rsasign.c.
Computing a Digital Signature
Remember that with Crypto-C, you have the choice of doing your private-key
operations normally or of using the blinding technique (see “Timing Attacks and
Blinding” on page 95). You make this choice in the algorithm chooser. For normal
signature operations, use
AM_RSA_CRT_ENCRYPT. To use blinding, use
AM_RSA_CRT_ENCRYPT_BLIND.
Step 1: Creating An Algorithm Object
Declare a variable to be B_ALGORITHM_OBJ. As defined in the function prototype in
Chapter 4 of the Reference Manual, its address is the argument for
