2

Since RSACryptoServiceProvider.VerifyHash verifies an already hashed message - why does it need to know which hash algorithm was used?

When asking about the SignHash method , it was suggested that the reason there is for communicating the hash (and not for actual use in the signing). But that won't explain it in this case. (since it's not an out parameter.)

Community
  • 1
  • 1
ispiro
  • 26,556
  • 38
  • 136
  • 291
  • @DanielHilgarth From [MSDN](http://msdn.microsoft.com/en-us/library/142k6c98%28v=vs.100%29.aspx) : "Verifies that a digital signature is valid by determining the hash value in the signature using the provided public key and comparing it to the provided **hash** value." - the parameter is _already_ a hash. – ispiro May 06 '13 at 09:45

1 Answers1

3

That's because PKCS#1 encoding of signature includes hash function OID in RSA-encrypted data block.

Nickolay Olshevsky
  • 13,706
  • 1
  • 34
  • 48
  • Thanks. So if I enter the wrong algorithm - it'll tell me it failed simply because the algorithms don't match. If so - it seems that the reason for the algorithm parameter in `SignHash` is also for the same reason, and _not_ for communicating the hash as was suggested in the answers I linked to. Did I understand you correctly? – ispiro May 06 '13 at 09:55
  • As far as I remember the reason for including hash OID in signature is for protection as well - if we have weaker hash algorithm with the same hash length, we can (theoretically) modify signed data and produce the same signature, using other hashing algorithm. – Nickolay Olshevsky May 06 '13 at 10:14
  • +1 yep, that's just it. See also ISO 9796 where the hash ID needs to be communicated out of band even though it may be present in the signature. Otherwise an attacker may force you to accept a signature using a broken hash function. Normally not a huge risk, but better safe than sorry. – Maarten Bodewes May 06 '13 at 23:57