Cryptography Reference
In-Depth Information
formatted data. Thus, in particular, the redundancy should not have the expected
format and hence the verifier will reject the digital signature. A similar argument
applies if an attacker attempts to directly forge a digital signature with message
recovery.
REDUNDANCY TECHNIQUES
Exactly what should the predefined redundancy that we add during the digital
signature creation process look like? Simple examples of redundancy, which serve
only as illustrations, include:
• repeating the data twice, with the second copy concatenated to the first;
• adding a fixed data string;
• adding a counter that specifies the length of the data;
• adding a hash of the data.
Any of these techniques could be used in theory, so long as the technique is agreed
by all potential users of the digital signature scheme. However, just like in other
areas of cryptography, it is vital that appropriate standards are consulted before
adopting a technique for adding redundancy. There have been sophisticated
attacks against cryptosystems that exploit poor redundancy processes and so
advice should be sought on what the current recommendations are for suitable
methods of adding redundancy.
DIGITAL SIGNATURE SCHEMES WITH MESSAGE RECOVERY AND
CONFIDENTIALITY
It is worth observing that digital signature schemes with message recovery do not
provide confidentiality. It is tempting to believe that, because we do not send the
data along with the digital signature, we are also 'hiding' the underlying data from
an attacker. This belief can be fuelled by the fact that a digital signature should
have no apparent structure, since it is essentially a piece of 'ciphertext' generated
using RSA. There are two fallacies at play here:
1. Attempting to determine the underlying data from the digital signature is
not an 'attack' at all. Digital signature schemes are not designed to provide
confidentiality. In Section 7.4.2 we will consider what to do if confidentiality is
also needed.
2.
Anyone
who has access to the signer's verification key can work out the data
from the digital signature by following the legitimate verification process. Thus
the data is only superficially 'hidden' inside the digital signature.
7.3.6
Other digital signature schemes
Although there have been many different proposals for digital signature schemes,
only two substantially different types of digital signature scheme have thus far
been widely adopted.
