What is the verification algorithm for verifying RSA signatures?

Question

I am not able to find much information how how to verify RSA signatures.

I have three values.

Message = "Launch a missile."

public key:

e = 010001 (this hex value equals to decimal 65537)
n = AE1CD4DC432798D933779FBD46C6E1247F0CF1233595113AA51B450F18116115

I want to verify if the signature below is the correct signature.

S = 643D6F34902D9C7EC90CB0B2BCA36C47FA37165C0005CAB026C0542CBDB6802F

The only formula I was able to find is

$S^e = \operatorname{Pad}(\operatorname{Hash}(M))\pmod N$

Is this the correct verification algorithm? If so, I am unclear about the Pad() and Hash() functions. How can I calculate the hash and pad functions?

Just to be sure: Did you already search our site and read Q&As like How does RSA signature verification work? and/or have you checked things like RFC 8017, section 8? — e-sushi, May 19 '18 at 09:24
This tutorial might help: https://medium.com/gitconnected/how-browsers-verify-digital-certificates-part-1-26ee57a6e712 — David Klempfner, Feb 26 '22 at 00:18

User · Accepted Answer · 2018-05-19T05:19:31.970

1

I finally found an answer to this. A simple formula to verify the signature is: $M = S^e \pmod N$.

If I take the numbers in my original post and plug them into that formula, I get $M = 4C61756E63682061206D697373696C652E$.

Then, if I use the python command below to convert the hex string back to ASCII, print("4C61756E63682061206D697373696C652E".decode("hex"))

I get "Launch a missile", which is the same as the original message. This means I can verify the signature was correct.

edited May 19 '18 at 05:19

answered May 19 '18 at 05:08

User

111
1
4

3

Note that this is a so called textbook RSA verification. It is not secure as you need padding of the signature, as you correctly assumed in your question. Generally a secure hash is also involved as part of the signature generation / verification. Note finally not all signature generation / verification is performed by "private key encryption" or "public key decryption*, e.g. (EC)DSA isn't. – Maarten Bodewes May 19 '18 at 18:07
what you did is decryption :) – gusto2 May 19 '18 at 21:38
2

No, modular exponentiation with the public key is not decryption, just like modular exponentiation with the private key is not encryption. Hence the quotation marks around the "public key decryption". I might just have said, exponentiation with the public key though, but I wanted to highlight the differences with other mechanisms. – Maarten Bodewes May 20 '18 at 01:12
@MaartenBodewes, do you know what the padding algorithm is that would be used in the formula I posted in my question? Even though the method I discovered worked, I would still prefer knowing the better way to do it. – User May 20 '18 at 02:32
2

Check out the signature schemes in the RFC PKCS#1 2.2. Both PKCS#1 v1.5 signatures and PSS are secure, although the first one hasn't got a formal proof and is deterministic. There are other specialized schemes, but these are used 99% of the time. Choosing the right hash function is of course important (for MGF1, internal to PSS, it doesn't matter much, but for the hash over the data it's really important). Use e.g. SHA-512. – Maarten Bodewes May 20 '18 at 03:08
@MaartenBodewes "No, modular exponentiation with the public key is not decryption" - Why is that the case? You're taking some text which contains a hidden message, and the only way to view that hidden message is to use the public key with an algorithm, that sounds like decryption to me. – David Klempfner Feb 06 '22 at 05:25

What is the verification algorithm for verifying RSA signatures?

1 Answers1