W3CDigital Signature Initiative RSA-SHA1 Signature Suite - Version 1.0


 

RSA is a public-key cryptosystem for both encryption and authentication. This signature suite specifies how it is used with the SHA1 hash function to sign a PICS  label per the DSig 1.0 Specification.

Overview

This signature suite uses for hashing

The Secure Hash Algorithm (SHA-1), National Institute of Standards and Technology, NIST FIPS PUB 186, "Digital Signature Standard,", U.S. Department of Commerce, May 1994

and for encryption

The RSA Encryption Algorithm, R.L. Rivest, A. Shamir, L.M. Adleman, "A method of Obtaining Digital Signatures and Public-Key Cryptosystems", Communications of the ACM, v. 21, n. 2, Feb. 1978, pp 120-126.

RSA Overview

RSA is a public-key cryptosystem for both encryption and authentication; it was invented in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman [RSA78]. Details on the algorithm can be found in various places. RSA is combined with the SHA1 hashing function to sign a message in this signature suite. It must be infeasible for anyone to either find a message that hashes to a given value or to find two messages that hash to the same value. If either were feasible, an intruder could attach a false message onto Alice's signature. The hash functions SHA1 has been designed specifically to have the property that finding a match is infeasible, and is therefore considered suitable for use in this role.

One or more certificates may accompany a digital signature. A certificate is a signed document that binds the public key to the identity of a party. Its purpose is to prevent someone from impersonating someone else. If a certificate is present, the recipient (or a third party) can check that the public key belongs to a named party, assuming the certifier's public key is itself trusted. These certificates can be held in the Attribution Information section of the DSig 1.0 Signature Block Extension and thus passed along with the signature to aid in validating it. (See section Attribution Information section in the DSig 1.0 Specification.)

The signature section of the DSig 1.0 Signature Block Extension is defined in the DSig 1.0 Specification. For the RSA-SHA1 signature suite, the signature section has the following required and optional fields.

Encoding

All values are encoded using the standard base-64 representation of a byte-array containing the two's-complement representation of the value to encode. The first byte in this array is the high-order byte. The minimal number of bytes necessary is used to represent a certain value, so no leading zero-bytes are allowed.

Required Fields

The general specification allows for four variants on how to specify what key has been used for signing, or rather what key is to be used for verifying the signature: ByKey, ByHash, ByName and ByCert. The signature suite specs are to specify what forms are mandatory or optional. For this signature-suite, exactly one of ByKey, ByHash, ByName and ByCert have to be present. It is assumed, that in all cases where one or more certificates are stored in the attribution-section, a reference to one of these certificates is appropriate, and the ByHash-method can be used. If no certificates are available, either the ByKey-method is appropriate, or ByName/ByCert may be used, if online search or retrieval is reasonably available.

"ByKey" - key value for validating a signature
The token "ByKey" identifies the value that follows as the key that should be used to validate the signature (or sufficient information to generate that key locally).
   ( "ByKey" <Key-Value, Signature-Suite dependent> )
Within the RSA-SHA1  signature suite, the key values are:
   ( "ByKey"
      ( "E" "base64-encoded-public-exponent" )
      ( "N" "base64-encoded-modulus" ))
"ByHash" - key value for validating a signature

The token "ByHash" identifies the value that follows as the SHA1-hash of the key that should be used to validate the signature.

   ( "ByHash" "base-64-encoded-hash-of-key" )

The hash-value is calculated from the concatenation of the following information:

If the length of one element is less than or equal to 127, the length-value L(x)   is exactly one byte with the
length as value. If the length is larger than 127, but less than  32767, the length-value consists of 3 bytes, one with the value 82 hexadecimal, the other two contain the length as a 16-bit integer, high byte first. A length > 32767 is not supported.

ByName - referencing the key value for validating a signature by name

The token "ByName" identifies the value that follows as the name of the entity that has generated the signature. It should be used to identify the public key necessary to validate the signature.

( "ByName" "Name-as-string-value" )

It can be used as a pointer to one of the certificates in the attribution information section, or be used to fetch a certificate from a local certificate-repository or an online-retrieval service. The format of the value depends on the certificate-system used, and can be a distinguished name from an X.509-field, an email-address or some other string value. ByName should be avoided, if searching the certificates given is likely to result in ambiguity.

ByCert  - referencing the key value for validating a signature by certificate

The token "ByCert" identifies the value that follows as a pointer to a certificate. It should be used to identify the public key necessary to validate the signature.

   ( "ByCert" ( "CA-Name-as-string-value" <CA-Serial-No.> ) )

It can be used as a pointer to one of the certificates in the attribution information section, or be used to fetch a certificate from a local certificate-repository or an online-retrieval service. The format of the value depends on the certificate-system used, and has to be specified in the Certificate Family Identifiers- Documents. 

"SigCrypto" - signature cryptographic data
 

The "SigCrypto" token identifies the SigData field that contains the cryptographic data that is the signature itself. The format and contents of this field are:

      ("SigCrypto" "base64-encoded-RSASHA1-signature")
For signing, the SHA-1-hash is padded according to PKCS#1,  section 8.1, using block-type 01. Specifically, the encryption-block EB is calculated as follows:
 
EB = 00 || 01 || PS || 00 || SHA-Hash
where PS is a padding-string consisting of K-23 octets having value FF, where K is the size of the modulus in octets.
 

Optional Fields

All common fields in the DSig Label spec are applicable in this Signature Suite specification.

Example

("Signature" "http://www.w3.org/PICS/DSig/RSA-SHA1_1_0.html" 
     ("ByKey" (("N" "aba21241241=")
               ("E" "abcdefghijklmnop=")))
     ("SigCrypto" "aba1241241==")
     ("on" "1996.12.02T22:20-0000")
     ("exclude" ("extensions" "http://foo/badextension.html")))

Philip A. DesAutels, DSig Project Manager 9 Oct 97
Peter Lipp Feb. 1998