some RSA questions
Some questions about writing a program that uses RSA. Let's assume we have 3 participants (Alice, Bob, Carol). The idea is for Bob to send an encrypted and signed message to Alice. Although Bob constructs the message, signs it and encrypts it, it is Carol who can decide some parts of the message. The message is small, 200-400 bytes in length. Some of the contents of the message are always the same (field names) and the message looks much like mail headers: Field1Name: field1contents Field2Name: field2contents Field3Name: field3contents Carol can decide, what goes into the field contents. Now the easiest way would be to sign the message using Bob's private key and encrypt is using Alice's public key. What Carol wants to do is forge similar messages without help from Bob and send the messages to Alice. Let's say that Bob is a bank, Alice a merchant and Carol a buyer. Usually Bob has to take some money from Carols account and after the he signals Alice, that she can give the goods to Carol. Now Carol wants to get the goods without paying and give a false signal to Alice (which Alice thinks is a signal from Bob). Both the public keys of Alice and Bob are well-known. One of the fields will be unique for every message, so that Carol can not use the same message to pay once and recieve the goods many times. The question is easy: how should I sign and encrypt the message? 1) calculate a digest (MD5, SHA) from the message, sign the digest (or should I sign the message contents + digest) with Bob's private key and encrypt it with Alice's public key? 2) is there any idea to generate a DES key, encrypt the message with the DES key, calculate a digest on (enc. message + DES key), sign the digest and encrypt it with Alice's public key? The message is small, so the time it takes to encrypt the message is not so important compared to higher speed of DES. 3) may be it would be good to encrypt the message with Alice's public key, then generate a digest, sign the digest and then once more encrypt the whole thing with Alice's public key? Using a DES session key helps in case someone would find out Alice's private key she uses to decrypt the message, but actually in this case it is not so important to hide the message contents (what is important are message integrity and sender authentication). What are the suggestions what crypto package might I use: RSAref, crypto++, SSLeay or some other? -- Juri Kaljundi jk@stallion.ee
-----BEGIN PGP SIGNED MESSAGE----- On Sun, 27 Oct 1996, Jüri Kaljundi wrote:
The question is easy: how should I sign and encrypt the message?
1) calculate a digest (MD5, SHA) from the message, sign the digest (or should I sign the message contents + digest) with Bob's private key and encrypt it with Alice's public key?
This is the best way. The message plus the signature should be encrypted using a symmetric algorithm and encrypt the key with Alice's public key. All RSA encryption and signing should be done according to the PKCS standard to avoid several nasty attacks that are successful if plain RSA is used.
2) is there any idea to generate a DES key, encrypt the message with the DES key, calculate a digest on (enc. message + DES key), sign the digest and encrypt it with Alice's public key? The message is small, so the time it takes to encrypt the message is not so important compared to higher speed of DES.
It is generally not a good idea to sign an encrypted message. The signature should be calculated on the plaintext, not ciphertext.
3) may be it would be good to encrypt the message with Alice's public key, then generate a digest, sign the digest and then once more encrypt the whole thing with Alice's public key?
This has the same problem as #2.
Using a DES session key helps in case someone would find out Alice's private key she uses to decrypt the message, but actually in this case it is not so important to hide the message contents (what is important are message integrity and sender authentication).
What are the suggestions what crypto package might I use: RSAref, crypto++, SSLeay or some other?
SSLeay is pretty fast and does have code to use PKCS. It probably doesn't make that much of a difference. RSAref isn't necessary; RSA isn't patented outside the USA. The other packages are faster and better than RSAref. Mark - -- finger -l for PGP key PGP encrypted mail prefered. -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQEVAwUBMnOazizIPc7jvyFpAQEx3Qf+M0BnhAcis6qzcsaVyRYyU13xvZArlx6I 7zupsL8y/CozpIyvgo23qpEd8ShR0k+I+ZlqbpEuprFXEtC+i5cO8i+EECKY22i6 R/4aAer0jMKZdovnxI/IHZ6boLengf4AcO9RE6tVm0chMbHyfn+j0e8FjtVKAoQe SPS+QHT6225ro62hoWWBcQtoL5ifbOn6lyIZk6lMGZzEnknXejLB/i5Uz5VMLyCh rsB4zNkpO5NCyHHscW5CdCV800+J5qRyzWCMxEM8GVtXmhm2vciOgGHhypJW37T9 PFv9Mft2m+d2QAK9JosHaGEbVJ3zgGsqDrxmgqI+v6Sf8jceWKNw6A== =pBlb -----END PGP SIGNATURE-----
participants (2)
-
Jüri Kaljundi -
Mark M.