 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / Security / October 2005Signature.sign() giving different results each time
Hello all, I have this piece of code: public byte[] sign(String digest) { byte[] result = new byte[0]; try { Signature dsa = Signature.getInstance("SHA1withDSA"); PrivateKey priv = privateKey.getPrivate(); //privateKey is a KeyPair instance dsa.initSign(priv); dsa.update(digest.getBytes()); result = dsa.sign(); } catch (Exception e) { System.err.println("WARNING: " + e.getMessage()); e.printStackTrace(); } return result; } When given the same string as parameter, each time this method is called I get a different result from the Signature.sign() method. According to the API docs, the state of the Signature object should have been reset after calling sign(). It's probably something really basic, but I can't spot the problem. What am I missing? regards,  SignatureReinout van Schouwen *** student of Artifical Intelligence email: reinout@cs.vu.nl *** mobile phone: +31-6-44360778 www.vanschouwen.info *** help mee met GNOME vertalen: nl.gnome.org It's nothing to worry about. When a signature is created, the following will happen (simplified): 1. The data to be signed is hashed. 2. The hash is padded. 3. The padded hash is "enrypted" with the private key. I'm not quite sure what padding scheme is used with DSA, but some paddings (e.g. block type 2 padding in PKCS#1) uses random bytes for padding which makes the signature content different each time it's generated from the same data. You should however worry about the data that you are signing. According to your example program, as I interpret it, you are passing in a hash (your 'digest' parameter) to the signature object, which means that your hash, and not your data, is hashed and signed. Remember that the Java Signature class will perform hashing and signing in the same single operation thus the algorithm name "SHA1withDSA". You should pass in the data to be signed to the Signature object, not its pre-generated hash. Regards, Tommy Grändefors www.pheox.com > Hello all, > [quoted text clipped - 31 lines] > email: reinout@cs.vu.nl *** mobile phone: +31-6-44360778 > www.vanschouwen.info *** help mee met GNOME vertalen: nl.gnome.org > It's nothing to worry about. When a signature is created, the following > will happen (simplified): [quoted text clipped - 6 lines] > padding which makes the signature content different each time it's > generated from the same data. DSA doesn't using padding per se. The signature is two 160-bit integers r and s, where r=((g**k) mod p) mod q s=(x*r+h)*(k**-1) mod q (See pages 8 and 9 of the defining document I cited in the other post.) x is the private key. h is the 160-bit hash value. g, p and q are parameters whose value is the same for all signatures using a particular x. Each signature requires a different value of k, which must be kept secret and not predictable by adversaries. (Someone who learns the value of k used for a signature can find the private key x, as x=(s*k-h)*(r**-1) mod q). To keep k unpredictable, the signer generates a fresh value of k at random for each signature. The value of k influences r and s strongly, which is why no two signatures are the same, even for the same signed message. > You should however worry about the data that you are signing. According > to your example program, as I interpret it, you are passing in a hash [quoted text clipped - 4 lines] > in the data to be signed to the Signature object, not its pre-generated > hash. That's OK, however the OP can use his method as long as the verifier uses the hash in the same manner, if the OP doesn't want to let the verifier see the actual message. --Mike Amling That's not ok because the content has not been signed, only the content's hash value. A verifier can claim that a document was not signed since the signature does not match the document's content. If the content that was signed is not available, but only its hash, then I suggest to decrypt the signature with the signer's public key and then extract the hash from the decrypted 'DigestInfo' DER-encoded structure, and finally compare the hash values for equality. Regards, Tommy Grändefors www.pheox.com > > You should however worry about the data that you are signing. According > > to your example program, as I interpret it, you are passing in a hash [quoted text clipped - 10 lines] > > --Mike Amling The DSA signature can be different every time, even for the same message. > Hello all, > [quoted text clipped - 19 lines] > When given the same string as parameter, each time this method is called > I get a different result from the Signature.sign() method. Without having read your code, just let me note that's a good property for a digital signature algorithm to have, and DSA has it. (The defining document is http://csrc.nist.gov/publications/fips/fips186-2/fips186-2-change1.pdf) There's only a problem if a generated signature doesn't verify. > According to > the API docs, the state of the Signature object should have been reset > after calling sign(). If all the generated signatures verify, then apparently it was indeed reset. --Mike Amling Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.