RSA签名是否唯一？ [英] Are RSA signatures unique?

问题描述

我想知道RSA签名是否对数据是唯一的。

假设我有一个hello字符串。计算RSA签名的方法是首先获得sha1摘要（这些是我知道的，为数据unqiue），然后添加一个带有OID和填充方案的头部，并做一些数学摇摆给出签名。

现在假设padding相同，openSSL或Bouncy Castle生成的签名是否相同？

如果是，我唯一的恐惧是的，不会很容易回到文本/数据

我actaully试图做一些数据和签名从OpenSSL的RSA签名和BC是不同的。我重复了，但每次都有相同的签名一次又一次。我意识到这两种方法的签名是不同的，因为填充的差异。然而我仍然不知道为什么每个库的签名是相同的，所有的时间我重复它们。

/www.rsa.com/rsalabs/node.asp?id=2125\">PKCS#1 作为旧式，v1.5填充，是确定性的。它的工作原理如下：

• 要签名的数据是哈希的（例如使用SHA-1）。


• 添加一个固定标题;


• 添加填充字节（左侧）：0x00，然后是0x01，然后一些0xFF字节，然后0x00。调整0xFF字节的数量，使得最终的总长度恰好是模数的字节长度（即1024位RSA密钥的128字节）。


• 将填充的值转换到小于模数的整数，其通过作为RSA的核心的模幂运算。

所有这些操作都是确定性的，没有随机的，因此这是正常的，并且期望用相同的密钥和相同的散列函数签署相同的数据将产生相同的签名。

在基于ASN.1的固定报头中存在微小的不足。这是一种识别散列函数的结构，以及该散列函数的参数。通常的散列函数不需要参数，因此这些参数必须用一个特殊的NULL值（需要几个字节）来表示，或者完全省略：两个表示都是可接受的（尽管前者是首选的）。因此，原始效果是对于给定的散列函数，存在固定报头的两个版本。 OpenSSL和Bouncycastle不使用相同的头。然而，签名验证器应该同时接受。

PKCS＃1还描述了一种较新的填充方案，称为PSS，具有更强的安全性。 PSS包括一堆随机字节，所以你每次都会得到一个不同的签名。

I want to know if RSA signatures are unique for a data.

Suppose I have a "hello" string. The method of computing the RSA signature is firstly to get the sha1 digest(these are , I know, unqiue for data), then add a header with OID and padding scheme mentioned and do some mathematical jiggle to give the signature.

Now assuming padding is same, will the signature generating by openSSL or Bouncy Castle be same?

If yes, my only fear is, won't it be easy to get back the "text"/data??

I actaully tried to do an RSA signature of some data and the signatures from OpenSSL and BC was different. I repeated it but got same signature again and again for each of them. I realized that the two signatures of the methods were different because of the difference in padding. However I am still not sure why the signatures of each of the libs are same all the time I repeat them. Can somebody please give an easy explanation?

解决方案

The "usual" padding scheme, described in PKCS#1 as the "old-style, v1.5" padding, is deterministic. It works like this:

• The data to sign is hashed (e.g. with SHA-1).
• A fixed header is added; that header is actually an ASN.1 structure which identifies the hash function which was just used to process the data.
• Padding bytes are added (on the left): 0x00, then 0x01, then some 0xFF bytes, then 0x00. The number of 0xFF bytes is adjusted so that the resulting total length is exactly the byte length of the modulus (i.e. 128 bytes for a 1024-bit RSA key).
• The padded value is converted to an integer (which is less than the modulus), which goes through the modular exponentiation which is at the core of RSA. The result is converted back to a sequence of bytes, and that's the signature.

All these operations are deterministic, there is no random, hence it is normal and expected that signing the same data with the same key and the same hash function will yield the same signature ever and ever.

However there is a slight underspecification in the ASN.1-based fixed header. This is a structure which identifies the hash function, along with "parameters" for that hash function. Usual hash functions take no parameters, hence the parameters shall be represented with either a special "NULL" value (which takes a few bytes), or be omitted altogether: both representations are acceptable (although the former is supposedly preferred). So, the raw effect is that there are two versions of the "fixed header", for a given hash function. OpenSSL and Bouncycastle do not use the same header. However, signature verifiers are supposed to accept both.

PKCS#1 also describes a newer padding scheme, called PSS, which is more complex but with a stronger security proof. PSS includes a bunch of random bytes, so you will get a distinct signature every time.

这篇关于RSA签名是否唯一？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！