直接对文件进行数字签名而不是文件 [英] Digitally sign a hash value of a file directly instead of file

问题描述

我的问题是 - 是否可以直接对文件的哈希值进行数字签名而不是文件。

我必须在web上对xml文件进行数字签名环境通过电子令牌。所以我必须将文件从服务器下载到客户端，然后从客户端计算机的e-token usb获得证书，并签署文件并将其上载到服务器上。

但是问题是，如果文件的大小太大，那么在客户端下载需要花费太多时间（取决于网速）以及文件安全性方面的一些漏洞。

因此，不是将文件发送到客户端机器，而仅发送文件散列值（文件的内部散列值被签名而不是文件作为数字签名过程的一般流程）。

或者是否有其他解决方案？

散列。

由于您拥有eToken，您可以使用它在客户端和服务器之间建立双向SSL会话。此会话可用于将哈希传送到客户端，并将产生的签名传回服务器。

为了在Java中在客户端上签署哈希，您可以使用 Signature 算法，如 NONEwithRSA 而不是像 SHA256withRSA 。

NONE指定原始数据（在这种情况下是哈希）将被签名，而不会被算法再次哈希。

My ques is -- Is it possible to digitally sign a hash value of a file directly instead of file.

I have to digitally sign a xml file in web environment through e-token. So I have to download the file from server to client and then get certificate from e-token usb at client machine and sign the file and upload it on server.

But the problem is, if size of the file is too huge, then it will take too much time to download at client side (depend upon internet speed) and some leakage in the security of the file too.

So instead of sending file to client machine, send only file hash value (internally hash value of files are signed not files as general flow of digitally signature process).

Or is there any other alternatives solution ?

解决方案

@Eugene brings up some valid points about the details of securely passing the hash.

Since you have an eToken, you could use it to establish a 2-way SSL session between the client and server. This session could be used to transfer the hash to the client, and the resulting signature back to the server.

For signing a hash on the client side in Java, you could use a Signature algorithm like NONEwithRSA instead of one like SHA256withRSA.

"NONE" specifies that the raw data (in this case the hash) will be signed and not hashed again by the algorithm.

这篇关于直接对文件进行数字签名而不是文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！