2

I need to use RSA-SHA256 signing. Unfortunately not all Microsoft CryptoAPI providers support that. It's possible that I might get a handle to a CryptoAPI provider that can just encrypt/decrypt with RSA, and maybe sign with SHA1, but not SHA256. Also, the private key might be unavailable (say, it could be in a smart card or some such device).

Is it then possible for me to "fill the gaps" myself? I can, after all, calculate the SHA256 hash of the data myself. Can I then somehow encrypt it with the provider and get a valid signature? Simply encrypting the hash doesn't seem to work (it produces the wrong result).

Or is the signing algorithm a modification of the encryption algorithm, and if the provider doesn't support it, then there's physically nothing that I can do?

mikeazo
  • 38,563
  • 8
  • 112
  • 180
Vilx-
  • 1,095
  • 1
  • 8
  • 11
  • Here are two questions and answers on this site that are related and you should understand: http://crypto.stackexchange.com/questions/12090/using-the-same-rsa-keypair-to-sign-and-encrypt http://crypto.stackexchange.com/questions/15997/is-rsa-encryption-of-a-cryptographic-hash-with-a-private-key-the-same-as-signatu – mikeazo Nov 11 '14 at 18:12
  • @mikeazo - OK, so, no, I can't. Thank you very much! If you make this into an answer, I'll accept it and delete my SO question. – Vilx- Nov 11 '14 at 18:18
  • @Vlix, there may be some details about MS CryptoAPI I don't understand. Technically if you MS CryptoAPI can compute $m^d\bmod{N}$ for some specially chosen $m$ (e.g. padding(sha256(your message))) then it may be possible. I'll leave this as is to see if someone else can comment. – mikeazo Nov 11 '14 at 18:35
  • @mikeazo - AFAIK I cannot affect the padding. It takes care of that itself. I can only choose whether I want to use PKCS1.5 or OAEP padding when encrypting/decrypting. Since, according to those links, signatures use a different padding algorithm, there's nothing I can do... – Vilx- Nov 11 '14 at 18:39

2 Answers2

4

Yes, you can, but you would need access to raw or textbook RSA encryption and you would have to implement the PKCS#1 v1.5 or PSS padding primitives yourself. Beware that PKCS#1 v1.5 compatible padding is different for encryption signature generation.

If you only have PKCS#1 v1.5 encryption or OAEP encryption available then the encryption routine will already pad your data, and in that case you cannot use the encryption API to sign.

The padding methods in common use are found in RFC 3447 which basically is a copy of RSA/EMC's PKCS#1 v2.1 specification.

Community
  • 1
Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
3

The only way you could do this if if you could affect the padding schemes appropriately. Mathematically, textbook RSA encryption with the private key is the same as textbook RSA signature generation.

Nobody should use textbook RSA, however. In practice, padding schemes are used and they differ between the two operations. So unless you can turn off padding (and padding checks) and implement the signature padding yourself, the answer is no.

The reason I mention padding checks is that theoretically, RSA decryption (which is the same as the RSA encryption operation but with the private key) does not add padding. The RSA decryption operation may check padding and throw an error if it is incorrect or it will strip away padding, which is something you don't want.

Community
  • 1
mikeazo
  • 38,563
  • 8
  • 112
  • 180