Sorry, but I really don't see any possible way that ISO/IEC FDIS 9796-2 could apply to DSA/ECDSA. They just don't work the same way, and the discrete log based SSRs are in general very different from factorisation based ones.
Please trust me on this, and look for some other explanation. -------------------------------------------------- From: "Alexei" <[email protected]> Sent: Thursday, October 22, 2009 4:19 AM To: "Crypto++ Users" <[email protected]> Cc: "Wei Dai" <[email protected]>; "Alexei" <[email protected]> Subject: Re: Get MessageRepresentative from signature > > As I understand Digital signature scheme described in ISO/IEC FDIS > 9796-2 can be implemented independent on signature generation > algorithm. Currently I have implemented only support of RSA. We have > sample ePassports with support of Active Authentication and all of > them use scheme based on RSA. > > I have looked at section 3.3.2. Recommendation about using RSA-PSS > applies for signature generation of certificates and Document Security > object of RFID-chip. In Active Authentication is used simple RSA. > > We have tried to contact with authors of the document about some other > questions but haven't got answer yet. > > On 22 окт, 15:06, "Wei Dai" <[email protected]> wrote: >> I'm pretty sure there's an error or misunderstanding on someone's part. >> Part >> of the title of ISO/IEC FDIS 9796-2 is "Part 2: Integer factorisation >> based >> mechanisms" and DSA/ECDSA are not factorisation based! >> >> Also, if you look at section 3.3.2 of that ICAO document, it says that >> for >> RSA you should use RSASSA-PSS, which is different from ISO/IEC FDIS >> 9796-2's >> Digital Signature Scheme 1. I don't have time to read through this >> document >> and figure out what is going on. Can you ask someone who is more familiar >> with this standard (maybe its authors?). >> >> -------------------------------------------------- >> From: "Alexei" <[email protected]> >> Sent: Thursday, October 22, 2009 3:57 AM >> To: "Crypto++ Users" <[email protected]> >> Subject: Re: Get MessageRepresentative from signature >> >> >> >> >> >> > I am implementing software for reader of ICAO-compliant e-Passport. In >> > this document >> >http://www.csca-si.gov.si/TR-PKI_mrtds_ICC_read-only_access_v1_1.pdf >> > specified procedure Active Authentication and some its requirements. >> > Active Authentication is procedure described in ISO/IEC 9796-2, >> > Digital signature scheme 1. >> >> > Document above gives recommendations for key's size. If you look from >> > page 23 then you see that recommendations are given for Active >> > Authentication's keys with RSA, DSA and ECDSA. >> >> > On 22 окт, 14:14, "Wei Dai" <[email protected]> wrote: >> >> After looking at that standard, I don't think you're supposed to use >> >> it >> >> with >> >> DSA or ECDSA, but only with RSA or RW. Also, it's not secure. >> >> Seehttp://eprint.iacr.org/2009/203.pdf. >> >> >> Why do you have to implement this? >> >> >> -------------------------------------------------- >> >> From: "Alexei" <[email protected]> >> >> Sent: Thursday, October 22, 2009 3:01 AM >> >> To: "Crypto++ Users" <[email protected]> >> >> Subject: Re: Get MessageRepresentative from signature >> >> >> > ISO/IEC FDIS 9796-2 draft you can take for a free >> >> >http://isotctest.iso.org/livelink/livelink/4459194/SC27N3032_Text_for... >> >> > In this document verification scheme is described correctly. >> >> >> > Yes, it is signature scheme with message recovery. To verify >> >> > signature >> >> > the following steps should be performed: >> >> > 1. Decrypt signature(get MessageRepresentative). Message >> >> > representative in Digital signature scheme 1 consists of [Start byte >> >> > | >> >> > recoverable part of Message | hash(Message) | trailing byte(s)] >> >> > 2. Construct Message* = [recoverable part of Message | >> >> > non-recoverable >> >> > part of Message] >> >> > 3. Check that hash(Message) from signature is equal to >> >> > hash(Message*). >> >> >> > In Internet I have seen only once that somebody had the same problem >> >> >http://www.groupsrv.com/science/about117544.html >> >> >> > On 22 окт, 12:28, "Wei Dai" <[email protected]> wrote: >> >> >> I'm not familiar with ISO/IEC FDIS 9796-2, and I can't find much >> >> >> information >> >> >> about it (without paying to buy the standard). Is it some kind of >> >> >> signature >> >> >> scheme with message recovery (SSR)? I never really finished >> >> >> implementing >> >> >> support for discrete log-based SSR in Crypto++ (and nobody has >> >> >> complained >> >> >> about that before), so the only way to do it is to write your own >> >> >> code >> >> >> directly on top of the Integer and elliptic curve classes. You can >> >> >> try >> >> >> to >> >> >> reuse DL_Algorithm_GDSA in gfpcrypt.h, or copy the code out and >> >> >> build >> >> >> on >> >> >> top >> >> >> of that. >> >> >> >> Or, if you want to try to finish the DL SSR framework in Crypto++, >> >> >> take a >> >> >> look at DL_VerifierBase::RecoverAndRestart() in pubkey.h. But >> >> >> unlike >> >> >> with >> >> >> RSA, message recovery with discrete log based schemes is >> >> >> complicated >> >> >> and >> >> >> ultimately kind of pointless. >> >> >> >> -------------------------------------------------- >> >> >> From: "Alexei" <[email protected]> >> >> >> Sent: Thursday, October 22, 2009 12:53 AM >> >> >> To: "Crypto++ Users" <[email protected]> >> >> >> Subject: Get MessageRepresentative from signature >> >> >> >> > Hello! >> >> >> >> > I am implementing Digital signature scheme 1 described in ISO/IEC >> >> >> > FDIS >> >> >> > 9796-2. I have signature in binary form and public key. >> >> >> > I know, how to get MessageRepresentative in case of RSA: call >> >> >> > member >> >> >> > ApplyFunction(...) of CryptoPP::RSA::PublicKey-object. >> >> >> > But I don't know how to get MessageRepresentative in case of DSA >> >> >> > and >> >> >> > ECDSA... What I should do? Is their any general way to get >> >> >> > MessageRepresentative independent on type of public key?- Скрыть >> >> >> > цитируемый текст - >> >> >> >> - Показать цитируемый текст -- Скрыть цитируемый текст - >> >> >> - Показать цитируемый текст -- Скрыть цитируемый текст - >> >> - Показать цитируемый текст - > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. -~----------~----~----~----~------~----~------~--~---
