Sistemul De Acces Conditionat!

[gessle]

X9.31 Signature Scheme


It requires using strong primes derived in a way to avoid particular attacks that are probably no longer relevant. X9.31 uses a method of encoding the message digest specific to the hash algorithm. It expects a key with length an exact multiple of 256 bits.he scheme allows for the public exponent to be an even value, but we do not consider that case here; all our values of e are assumed to be odd. The message digest hash, H, is encapsulated to form a byte string as follows EB = 06 || PS || 0xBA || H || 0x33 || 0xCC
where PS is a string of bytes all of value 0xBB of length such that |EB|=|n|, and 0x33 is the ISO/IEC 10118 part number for SHA-1. The byte string, EB, is converted to an integer value, the message representative, f. Algorithm: Forming an X9.31/RSA2 signature value from the message representative (for odd e). INPUT: Signer's RSA private key, (n, d); integer, f, where 0 <= f < n and f ≡ 12 (mod 16).
OUTPUT: Signature, an integer s, 0 <= s < n/2, i.e. a value at least one bit shorter than n.

1. t = fd mod n
2. s = min{t, n-t}
3. Output s.

The integer, s, is converted to a byte string of length |n| bytes. Algorithm: Extracting the message representative from an X9.31/RSA2 signature value (for odd e). INPUT: Signer's RSA public key, (n, e); signature, s.
OUTPUT: Message representative, f, such that t ≡ 12 (mod 16), or "invalid signature".

1. If s is not in [0,(n-1)/2], output "invalid signature" and stop.
2. Compute t = se mod n
3. If t ≡ 12 (mod 16) then let f = t.
4. Else let f = n-t. If NOT f ≡ 12 (mod 16), output "invalid signature" and stop.
5. Output f.

The integer f is converted to a byte string of length |n| bytes and then parsed to confirm that all bytes match the required format EB = 06 || PS || 0xBA || H || 0x33 || 0xCC
If not, output "invalid signature" and stop; otherwise output the extracted message digest hash, H. ISO/IEC 9796

IOS/IEC 9796 is an old standard devised before there was a recognised message digest function like MD5 or SHA-1. It allows the entire message to be recovered. Unfortunately, it is considered broken for signing plain text messages, but is still OK for signing message digest values.
The encapsulation mechanism weaves the input bytes into a format exactly one bit shorter than the RSA key. The signing mechanism is similar to that in ANSI X9.31 described above, but the message representative, f, is required to be f ≡ 6 (mod 16), instead of modulo 12. In other words, make sure the last 4 bits are equal to 0x6 instead of 0xC.
RSA-KEM

The RSA-KEM Key Transport Algorithm encrypts a random integer with the recipient's public key, and then uses a symmetric key-wrapping scheme to encrypt the keying data. KEM stands for Key Encapsulation Mechanism. The general algorithm is as follows

1. Generate a random integer z between 0 and n-1.
2. Encrypt the integer z with the recipient's RSA public key: c = ze mod n.
3. Derive a key-encrypting key KEK from the integer z.
4. Wrap the keying data using KEK to obtain wrapped keying data WK.
5. Output c and WK as the encrypted keying data.

This method has a higher security assurance than PKCS#1v1.5 because the input to the underlying RSA operation is random and independent of the message, and the key-encrypting key KEK is derived from it in a strong way.

Algorithm: Ferguson-Schneier Encrypt Random Key with RSA. INPUT: Recipient's RSA public key, (n, e).
OUTPUT: Content encryption key, CEK; RSA-encrypted CEK, c.

1. Compute the exact bit length of the RSA key, k = ceiling(log2(n+1)).
2. Choose a random r in the interval [0, 2k-1].
3. Compute the content encryption key by hashing r, CEK=Hash(r).
4. c = re mod n.
5. Output CEK and c.

For a plaintext message, m, the transmission sent to the recipient is IntegerToString(c) || ECEK(m), where ECEK(m) is the result of encrypting m with a symmetrical encryption algorithm using key, CEK. Given that the recipient knows the size of the RSA key and hence the exact number of bytes needed to encode c, it is a simple matter to parse the input received from the sender.

Notation and Conventions

We use the following notation and conventions in this page.

• A || B denotes concatenation of byte (or bit) strings A and B.
• |B| denotes the length of the byte (or bit) string B in bytes.
• |n| denotes the length of the non-negative integer n in bytes, |n| = ceiling(log256(n+1)).
• IntegerToString(i, n) is an n-byte encoding of the integer i with the most significant byte first (i.e. in "big-endian" order). So, for example, IntegerToString(1, 4)=00000001,
  IntegerToString(7658, 3)=001DEA
• StringToInteger(S, n) is the integer represented by the byte string S of length n bytes with the most significant byte first.
• ceiling(x) is the smallest integer, n, such that n ≥ x.

to be continued...