1

After some research it would seem that RSA with PSS padding is suggested to be used as its security properties are known to be good. The problem is that it is hard to have compatibility of signing algorithms, especially with such requirements.

What I'd like to achieve is to sign and verify across at least the following environments:

  • Botan
  • OpenSSL
  • Crypto++
  • Node.js (uses OpenSSL)

It might also be interesting to have compatibility on PolarSSL and others.

There is an example in the node.js crypto page about creating and verifying signatures. This works nicely, but I need compatibility with Botan EMSAx(SHA256), and really think that a signature should be padded for security with something like RSA-PSS. The Node example page only show 'RSA-SHA256' but there is no padding used.

The PSS padding can be achieved by using OpenSSL:

openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 \
 -sign rsa.key -out data.txt.sha256 data.txt

My test code looks something like this:

var s = crypto.createSign('RSA-SHA256');
var key = fs.readFileSync('rsa.key').toString();

s.update(message);

var signature = s.sign(key, 'base64');

but it produces identical output for identical input, which is not what I want, and is obviously not compatible with the C++ implementation I have which uses Botan.

If it is not possible to achieve compatibility with minimal effort, any suggestions on which algorithms to pick, I might put the effort in to try to contact the developers of these crypto-libraries, to see if there is any consensus on an algorithm to get implemented as a de facto standard. (Yes, I know this seems desperate.) Is there an ongoing effort like this?

hg.
  • 324
  • 1
  • 13

1 Answers1

4

You are currently using PSS signature format, while Node.js almost certainly uses PKCS#1 v1.5 compatible signatures - and if I look at the current code, Node.js seems to be restricted to those. One difference is indeed that PSS generated signatures contain a random component and PKCS#1 v1.5 compatible signatures do not.

Although PSS signatures are certainly preferred, it seems the only option for you is to either revert back to PKCS#1 v1.5 compatible signatures for Botan, or to implement PSS signatures in Node.js. PKCS#1 v1.5 signatures should still be safe, even though they have less desirable properties compared to PSS signatures.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • It seems that signature compatibility is still in its infancy. I was afraid that this would be the answer, but I will not yet mark it as correct as I hope there is some other way, another `crypto` lib for Node.js or a higher level solution of some kind. I'm a little afraid to start implementing crypto algorithms myself, but maybe the time has come. – hg. Feb 25 '13 at 07:44
  • It seems very odd to say that signature compatibility is still in its infancy as PKCS#1 v1.5 compatibility is probably 100%, and is still primarily used in SSH, TLS, etc. Signature compatibility comes an issue only if you have special needs which prevent the secure usage of PKCS#1 v1.5. – Nakedible Nov 16 '14 at 14:39
  • 1
    @Nakedible, what I was suggesting was that I could not find compatible implementations for PSS padding which seemed to be the way to go. As you seem knowledgeable about the subject; is there a standard set which a significant set of crypto libs are implementing allowing a signature data structure to written and verified with the different algorithms? ECDSA(with different curves)/RSA/other? – hg. Feb 11 '15 at 16:13
  • 1
    @hg. I suggest asking a separate question as I am no means an expert at this. However, your best bet is to look at common usages of the libraries - which usually means that all the algorithms supported by large CA authorities for SSL certificates are usually supported well. RSA+DSA+ECDSA(p256) is most likely it. – Nakedible Feb 12 '15 at 16:41