RSA 签名是唯一的吗? [英] Are RSA signatures unique?

问题描述

我想知道 RSA 签名对于数据是否是唯一的.

I want to know if RSA signatures are unique for a data.

假设我有一个hello"字符串.计算 RSA 签名的方法是首先获取 sha1 摘要(我知道，这些是 unqiue 数据)，然后添加一个带有 OID 和填充方案的标头，并做一些数学调整来给出签名.

Suppose I have a "hello" string. The method of computing the RSA signature is firstly to get the sha1 digest(these are , I know, unqiue for data), then add a header with OID and padding scheme mentioned and do some mathematical jiggle to give the signature.

现在假设 padding 相同，openSSL 或 Bouncy Castle 生成的签名是否相同?

Now assuming padding is same, will the signature generating by openSSL or Bouncy Castle be same?

如果是，我唯一担心的是，找回文本"/数据不是很容易吗??

If yes, my only fear is, won't it be easy to get back the "text"/data??

我实际上尝试对某些数据进行 RSA 签名，而 OpenSSL 和 BC 的签名不同.我重复了一遍，但每次都一次又一次地得到相同的签名.我意识到方法的两个签名是不同的，因为填充的不同.但是我仍然不确定为什么每个库的签名在我重复它们的时候都是相同的.谁能给个简单的解释?

I actaully tried to do an RSA signature of some data and the signatures from OpenSSL and BC was different. I repeated it but got same signature again and again for each of them. I realized that the two signatures of the methods were different because of the difference in padding. However I am still not sure why the signatures of each of the libs are same all the time I repeat them. Can somebody please give an easy explanation?

推荐答案

PKCS#1 作为旧样式，v1.5"填充，是确定性的.它的工作原理是这样的:

The "usual" padding scheme, described in PKCS#1 as the "old-style, v1.5" padding, is deterministic. It works like this:

• 要签名的数据经过哈希处理(例如使用 SHA-1).
• 增加了一个固定的头部；该标头实际上是一个 ASN.1 结构，用于标识刚刚用于处理数据的散列函数.
• 添加了填充字节(在左侧):0x00，然后是 0x01，然后是一些 0xFF 字节，然后是 0x00.调整 0xFF 字节的数量，以便得到的总长度恰好是模数的字节长度(即 1024 位 RSA 密钥的 128 个字节).
• 填充的值被转换为一个整数(小于模数)，它通过 RSA 核心的模幂运算.结果被转换回字节序列，这就是签名.

所有这些操作都是确定性的，没有随机性，因此使用相同的密钥和相同的哈希函数对相同的数据进行签名将永远产生相同的签名是正常的.

All these operations are deterministic, there is no random, hence it is normal and expected that signing the same data with the same key and the same hash function will yield the same signature ever and ever.

然而在基于 ASN.1 的固定标头中存在轻微的规范不足.这是一个标识散列函数的结构，以及该散列函数的参数".通常的散列函数不带参数，因此参数应该用特殊的NULL"值(占用几个字节)表示，或者完全省略:两种表示都是可接受的(尽管前者是首选).因此，原始效果是对于给定的散列函数，存在 两个 版本的固定标头".OpenSSL 和 Bouncycastle 不使用相同的标头.然而，签名验证者应该接受两者.

However there is a slight underspecification in the ASN.1-based fixed header. This is a structure which identifies the hash function, along with "parameters" for that hash function. Usual hash functions take no parameters, hence the parameters shall be represented with either a special "NULL" value (which takes a few bytes), or be omitted altogether: both representations are acceptable (although the former is supposedly preferred). So, the raw effect is that there are two versions of the "fixed header", for a given hash function. OpenSSL and Bouncycastle do not use the same header. However, signature verifiers are supposed to accept both.

PKCS#1 还描述了一种更新的填充方案，称为 PSS，它更复杂但具有更强的安全性证明.PSS 包含一堆随机字节，因此您每次都会得到一个不同的签名.

PKCS#1 also describes a newer padding scheme, called PSS, which is more complex but with a stronger security proof. PSS includes a bunch of random bytes, so you will get a distinct signature every time.

这篇关于RSA 签名是唯一的吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！