It's the fourth step. If you take a look at http://en.wikipedia.org/wiki/Digital_Signature_Algorithm#Verifying, there is no step where a message representative is restored.
-------------------------------------------------- From: "Alexei" <[email protected]> Sent: Thursday, October 22, 2009 4:39 AM To: "Crypto++ Users" <[email protected]> Subject: Re: Get MessageRepresentative from signature > > I am not familar with DSA/ECDSA in depth. That's I want to ask why DSA/ > ECDSA can't be applied for Digital signature scheme 1 described in ISO/ > IEC 9796-2? > > I have the following point of view. > 1. There is the RFID-chip that has public/private key pair. Terminal > can read public key and algorithm's type used to perform Active > Authentication. > 2. Terminal sends some random data to the RFID-chip. This random data > represents non-recoverable part of the message(M2 in ISO/IEC 9796-2). > 3. RFID-chip generates M1 and signs message M = [M1 | M2] as described > in the standard. Sends result to the terminal. > 4. Terminal can restore MessageRepresentative using public key and > verify the signature. > > What's wrong? What step can't be performed using DSA/ECDSA? > > On 22 окт, 15:25, "Wei Dai" <[email protected]> wrote: >> Sorry, but I really don't see any possible way that ISO/IEC FDIS 9796-2 >> could apply to DSA/ECDSA. They just don't work the same way, and the >> discrete log based SSRs are in general very different from factorisation >> based ones. >> >> Please trust me on this, and look for some other explanation. >> >> -------------------------------------------------- >> From: "Alexei" <[email protected]> >> Sent: Thursday, October 22, 2009 4:19 AM >> To: "Crypto++ Users" <[email protected]> >> Cc: "Wei Dai" <[email protected]>; "Alexei" <[email protected]> >> Subject: Re: Get MessageRepresentative from signature >> >> >> >> >> >> > As I understand Digital signature scheme described in ISO/IEC FDIS >> > 9796-2 can be implemented independent on signature generation >> > algorithm. Currently I have implemented only support of RSA. We have >> > sample ePassports with support of Active Authentication and all of >> > them use scheme based on RSA. >> >> > I have looked at section 3.3.2. Recommendation about using RSA-PSS >> > applies for signature generation of certificates and Document Security >> > object of RFID-chip. In Active Authentication is used simple RSA. >> >> > We have tried to contact with authors of the document about some other >> > questions but haven't got answer yet. >> >> > On 22 окт, 15:06, "Wei Dai" <[email protected]> wrote: >> >> I'm pretty sure there's an error or misunderstanding on someone's >> >> part. >> >> Part >> >> of the title of ISO/IEC FDIS 9796-2 is "Part 2: Integer factorisation >> >> based >> >> mechanisms" and DSA/ECDSA are not factorisation based! >> >> >> Also, if you look at section 3.3.2 of that ICAO document, it says that >> >> for >> >> RSA you should use RSASSA-PSS, which is different from ISO/IEC FDIS >> >> 9796-2's >> >> Digital Signature Scheme 1. I don't have time to read through this >> >> document >> >> and figure out what is going on. Can you ask someone who is more >> >> familiar >> >> with this standard (maybe its authors?). >> >> >> -------------------------------------------------- >> >> From: "Alexei" <[email protected]> >> >> Sent: Thursday, October 22, 2009 3:57 AM >> >> To: "Crypto++ Users" <[email protected]> >> >> Subject: Re: Get MessageRepresentative from signature >> >> >> > I am implementing software for reader of ICAO-compliant e-Passport. >> >> > In >> >> > this document >> >> >http://www.csca-si.gov.si/TR-PKI_mrtds_ICC_read-only_access_v1_1.pdf >> >> > specified procedure Active Authentication and some its requirements. >> >> > Active Authentication is procedure described in ISO/IEC 9796-2, >> >> > Digital signature scheme 1. >> >> >> > Document above gives recommendations for key's size. If you look >> >> > from >> >> > page 23 then you see that recommendations are given for Active >> >> > Authentication's keys with RSA, DSA and ECDSA. >> >> >> > On 22 окт, 14:14, "Wei Dai" <[email protected]> wrote: >> >> >> After looking at that standard, I don't think you're supposed to >> >> >> use >> >> >> it >> >> >> with >> >> >> DSA or ECDSA, but only with RSA or RW. Also, it's not secure. >> >> >> Seehttp://eprint.iacr.org/2009/203.pdf. >> >> >> >> Why do you have to implement this? >> >> >> >> -------------------------------------------------- >> >> >> From: "Alexei" <[email protected]> >> >> >> Sent: Thursday, October 22, 2009 3:01 AM >> >> >> To: "Crypto++ Users" <[email protected]> >> >> >> Subject: Re: Get MessageRepresentative from signature >> >> >> >> > ISO/IEC FDIS 9796-2 draft you can take for a free >> >> >> >http://isotctest.iso.org/livelink/livelink/4459194/SC27N3032_Text_for... >> >> >> > In this document verification scheme is described correctly. >> >> >> >> > Yes, it is signature scheme with message recovery. To verify >> >> >> > signature >> >> >> > the following steps should be performed: >> >> >> > 1. Decrypt signature(get MessageRepresentative). Message >> >> >> > representative in Digital signature scheme 1 consists of [Start >> >> >> > byte >> >> >> > | >> >> >> > recoverable part of Message | hash(Message) | trailing byte(s)] >> >> >> > 2. Construct Message* = [recoverable part of Message | >> >> >> > non-recoverable >> >> >> > part of Message] >> >> >> > 3. Check that hash(Message) from signature is equal to >> >> >> > hash(Message*). >> >> >> >> > In Internet I have seen only once that somebody had the same >> >> >> > problem >> >> >> >http://www.groupsrv.com/science/about117544.html >> >> >> >> > On 22 окт, 12:28, "Wei Dai" <[email protected]> wrote: >> >> >> >> I'm not familiar with ISO/IEC FDIS 9796-2, and I can't find much >> >> >> >> information >> >> >> >> about it (without paying to buy the standard). Is it some kind >> >> >> >> of >> >> >> >> signature >> >> >> >> scheme with message recovery (SSR)? I never really finished >> >> >> >> implementing >> >> >> >> support for discrete log-based SSR in Crypto++ (and nobody has >> >> >> >> complained >> >> >> >> about that before), so the only way to do it is to write your >> >> >> >> own >> >> >> >> code >> >> >> >> directly on top of the Integer and elliptic curve classes. You >> >> >> >> can >> >> >> >> try >> >> >> >> to >> >> >> >> reuse DL_Algorithm_GDSA in gfpcrypt.h, or copy the code out and >> >> >> >> build >> >> >> >> on >> >> >> >> top >> >> >> >> of that. >> >> >> >> >> Or, if you want to try to finish the DL SSR framework in >> >> >> >> Crypto++, >> >> >> >> take a >> >> >> >> look at DL_VerifierBase::RecoverAndRestart() in pubkey.h. But >> >> >> >> unlike >> >> >> >> with >> >> >> >> RSA, message recovery with discrete log based schemes is >> >> >> >> complicated >> >> >> >> and >> >> >> >> ultimately kind of pointless. >> >> >> >> >> -------------------------------------------------- >> >> >> >> From: "Alexei" <[email protected]> >> >> >> >> Sent: Thursday, October 22, 2009 12:53 AM >> >> >> >> To: "Crypto++ Users" <[email protected]> >> >> >> >> Subject: Get MessageRepresentative from signature >> >> >> >> >> > Hello! >> >> >> >> >> > I am implementing Digital signature scheme 1 described in >> >> >> >> > ISO/IEC >> >> >> >> > FDIS >> >> >> >> > 9796-2. I have signature in binary form and public key. >> >> >> >> > I know, how to get MessageRepresentative in case of RSA: call >> >> >> >> > member >> >> >> >> > ApplyFunction(...) of CryptoPP::RSA::PublicKey-object. >> >> >> >> > But I don't know how to get MessageRepresentative in case of >> >> >> >> > DSA >> >> >> >> > and >> >> >> >> > ECDSA... What I should do? Is their any general way to get >> >> >> >> > MessageRepresentative independent on type of public key?- >> >> >> >> > Скрыть >> >> >> >> > цитируемый текст - >> >> >> >> >> - Показать цитируемый текст -- Скрыть цитируемый текст - >> >> >> >> - Показать цитируемый текст -- Скрыть цитируемый текст - >> >> >> - Показать цитируемый текст -- Скрыть цитируемый текст - >> >> - Показать цитируемый текст - > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. -~----------~----~----~----~------~----~------~--~---
