W3C RSA-MD5 Signature Suite - Version 1.0


RSA is a public-key cryptosystem for both encryption and authentication. This signature suite specifies how it is used with the MD5 hash function to sign a PICS  label per the DSig 1.0 Specification.

Status of this Document

This document is part of the DSig 1.0 Recommendation. It has been reviewed by W3C Members and other interested parties and has been endorsed by the Director as a W3C Recommendation. It is a stable document and may be used as reference material or cited as a normative reference from another document.

Last updated: 1998-05-27T18:31:18Z

Overview

This signature suite is identified by the URL

http://www.w3.org/TR/1998/REC-DSig-label/RSA-MD5-1_0

This signature suite uses for hashing

The MD5 Message Digest Algorithm, R.L. Rivest, RFC 1321, April 1992

and for encryption

The RSA Encryption Algorithm, R.L. Rivest, A. Shamir, L.M. Adleman, "A method of Obtaining Digital Signatures and Public-Key Cryptosystems", Communications of the ACM, v. 21, n. 2, Feb. 1978, pp 120-126.

RSA Overview

RSA is a public-key cryptosystem for both encryption and authentication; it was invented in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman [RSA78]. Details on the algorithm can be found in various places. RSA is combined with the MD5 hashing function to sign a message in this signature suite. It must be infeasible for anyone to either find a message that hashes to a given value or to find two messages that hash to the same value. If either were feasible, an intruder could attach a false message onto Alice's signature. The hash function MD5 has been designed specifically to have the property that finding a match is infeasible, and is therefore considered suitable for use in this role.

One or more certificates may accompany a digital signature. A certificate is a signed document that binds the public key to the identity of a party. Its purpose is to prevent someone from impersonating someone else. If a certificate is present, the recipient (or a third party) can check that the public key belongs to a named party, assuming the certifier's public key is itself trusted. These certificates can be held in the Attribution Information section of the DSig 1.0 Signature Block Extension and thus passed along with the signature to aid in validating it. (See section Attribution Information section in the DSig 1.0 Specification.)

The signature section of the DSig 1.0 Signature Block Extension is defined in the DSig 1.0 Specification. For the RSA-MD5 signature suite, the signature section has the following required and optional fields.

Encoding

All values are encoded using the standard base-64 representation of a byte-array containing the two's-complement representation of the value to encode. The first byte in this array is the high-order byte. The minimal number of bytes necessary is used to represent a certain value, so no leading zero-bytes are allowed.

Required Fields

The general specification allows for four variants on how to specify what key has been used for signing, or rather what key is to be used for verifying the signature: ByKey, ByHash, ByName and ByCert. The signature suite specs are to specify what forms are mandatory or optional. For this signature suite, exactly one of ByKey, ByHash, ByName and ByCert have to be present. It is assumed, that in all cases where one or more certificates are stored in the attribution information section, a reference to one of these certificates is appropriate, and the ByHash method can be used. If no certificates are available, either the ByKey method is appropriate, or ByName/ByCert may be used, if online search or retrieval is reasonably available.

"ByKey" - key value for validating a signature
The token "ByKey" identifies the value that follows as the key that should be used to validate the signature (or sufficient information to generate that key locally).
   ( "ByKey" <Key-Value, Signature-Suite dependent> )
Within the RSA-MD5  signature suite, the key values are:
   ( "ByKey"
      ( "E" "base64-encoded-public-exponent" )
      ( "N" "base64-encoded-modulus" ))
"ByHash" - key value for validating a signature

The token "ByHash" identifies the value that follows as the MD5-hash of the key that should be used to validate the signature.

   ( "ByHash" "base-64-encoded-hash-of-key" )

The hash-value is calculated from the concatenation of the following information:

If the length of one element is less than or equal to 127, the length-value L(x)   is exactly one byte with the
length as value. If the length is larger than 127, but less than  32767, the length-value consists of 3 bytes, the first with the value 82 hexadecimal, the other two contain the length as a 16-bit integer, high byte first. A length > 32767 is not supported.

ByName - referencing the key value for validating a signature by name

The token "ByName" identifies the value that follows as the name of the entity that has generated the signature. It should be used to identify the public key necessary to validate the signature.

( "ByName" "Name-as-string-value" )

It can be used as a pointer to one of the certificates in the attribution information section, or be used to fetch a certificate from a local certificate-repository or an online-retrieval service. The format of the value depends on the certificate-system used, and can be a distinguished name from an X.509-field, an email-address or some other string value. ByName should be avoided, if searching the certificates given is likely to result in ambiguity.

ByCert  - referencing the key value for validating a signature by certificate

The token "ByCert" identifies the value that follows as a pointer to a certificate. It should be used to identify the public key necessary to validate the signature.

   ( "ByCert" ( "CA-Name-as-string-value" <CA-Serial-No.> ) )

It can be used as a pointer to one of the certificates in the attribution information section, or be used to fetch a certificate from a local certificate-repository or an online-retrieval service. The format of the value depends on the certificate-system used, and has to be specified in the Certificate Family Identifiers- Documents. 

"SigCrypto" - signature cryptographic data
The "SigCrypto" token identifies the SigData field that contains the cryptographic data that is the signature itself. The format and contents of this field are:
      ("SigCrypto" "base64-encoded-RSAMD5-signature")
For signing, the MD5 hash of the canonicalized label is padded according to PKCS#1, section 8.1, using block-type 01. Specifically, the encryption-block EB is calculated as follows:
 
EB = 00 || 01 || PS || 00 || MD5-Hash
where PS is a padding-string consisting of K-19 octets having value FF, where K is the size of the modulus in octets.
 

Optional Fields

All common SigData fields in the DSig Label spec are applicable in this Signature Suite specification.

Example

("Signature" "http://www.w3.org/TR/1998/REC-DSig-label/RSA-MD5-1_0" 
     ("ByKey" (("N" "aba21241241=")
               ("E" "abcdefghijklmnop=")))
     ("SigCrypto" "aba1241241==")
     ("on" "1996.12.02T22:20-0000")
     ("exclude" ("extensions" "http://foo/badextension")))

Copyright  ©  1998 W3C (MIT, INRIA, Keio ), All Rights Reserved. W3C liability, trademark, document use and software licensing rules apply.

Philip A. DesAutels, DSig Project Manager 9 Oct 97
Peter Lipp Feb. 1998