7

This may be a question for http://crypto.stackexchange.com, but I thought I'd try it here first as the answer may relate to .NET rather than the encryption algorithm itself.

In the RSACryptoServiceProvider class, there's a method SignHash, which:

Computes the signature for the specified hash value by encrypting it with the private key.

The first argument is the hash value of the data (which seems fair), but the second is a string stating the algorithm used to create the hash value.

The question is why does the hash algorithm matter? Surely all the method needs to do is encrypt the given value using its private key and return the result? And if it really does need to know, why doesn't RSACryptoServiceProvider have a method which does just that (Along with an appropriate Verify method)?

Philip C
  • 1,819
  • 28
  • 50
  • 5
    At a guess (and the reason this is a comment rather than an answer), it may have something to do with the fact that without any context, the hash is simply random data. By including the hash type as part of the signature, it links the hash to the message. If this was not the case, say you had signed a message that had a hash of say, "123456". I could take your signature, define my own "FooHash" that always outputs "123456" and assert that your signature is *actually* the signature of a FooHashed document that says you want to transfer $1m from your bank account to mine. – Iridium Aug 07 '12 at 10:05

2 Answers2

5

Thanks to Iridium for getting me thinking along the right lines here.

The recipient gets two things:

  • The message
  • The signature (encrypted by sender's private key)

To verify the message, the recipient is required to decrypt the signature using the sender's public key, and check that against the hash of the message.

If the hash algorithm isn't specified to the recipient, they have no way of knowing how to hash the message, so they can't verify it.

So the algorithm must be specified to the recipient.

In order for the hash algorithm to be specified by the sender (who knows how the signature was created), and not modifiable by anyone else, it needs to be included inside the signature, and encrypted alongside the hash.

So in order to create a useful signature, the hashing algorithm needs to be specified when encrypting the hash.

Philip C
  • 1,819
  • 28
  • 50
  • Strictly said this is true. Note that you *should* however communicate the hash algorithm used by other means/out of band. Check the PKCS#1 v2.1 specifications to see why you need to know the hash method to create the correct padding. – Maarten Bodewes Aug 07 '12 at 19:35
0

For example, PKCS#1 padding for RSA signature implies adding a hash function identifier to the hash value before signing.

As I see, you are using exactly this method. Try to set another algorithm with same digest length and you'll see that signatures are different.

Pavel Ognev
  • 962
  • 7
  • 15