Cryptography Reference
In-Depth Information
The first type consists of digital signature schemes based on RSA. We have
discussed two examples of such schemes. The second type consists of schemes
loosely based on ElGamal. Unlike RSA, the encryption and decryption operations
in ElGamal are not easily swapped around. Thus, while such schemes are
motivated by ElGamal encryption, they need to be designed in a fundamentally
different way. The most well known of these is the
Digital Signature Algorithm
(DSA), which was standardised by the US Government as the
Digital Signature
Standard
. The DSA is a digital signature scheme with appendix that is strongly
motivated by ElGamal, but works in a different way. There is also an important
variant based on elliptic curves known as ECDSA, which offers similar advantages
over the DSA to those gained by using elliptic-curve-based variants of ElGamal
encryption (see Section 5.3.5).
It is also quite common for digital signature schemes with appendix to be
identified by combining the names of the digital signature scheme and the
underlying hash function that is used. Hence the use of RSA-MD5 indicates
the RSA digital signature scheme with MD5 as the underlying hash function.
Similarly, ECDSA-SHA2 indicates the ECDSA signature scheme with SHA2 as the
underlying hash function. Since digital signature schemes with appendix can, at
least in theory, be combinedwith
any
underlying hash function, this nomenclature
is primarily informative, since RSA-MD5 and RSA-SHA2 are essentially the same
RSA digital signature scheme.
In this section we will consider practical issues that concern digital signature
schemes in general, rather than being specific to any particular scheme.
7.4.1
Security of digital signature schemes
We will assume that we are using a respected digital signature scheme and that
the platform on which the digital signature scheme is being used is 'trustworthy'.
There are three cryptographic components of a digital signature scheme that could
be exploited by an attacker.
SECURITY OF THE SIGNATURE KEY
We noted in Section 7.1.3 that in order for a user to generate a digital signature
on some data, it is necessary for the user to have knowledge of a secret, which
takes the form of the user's signature key. The signature key is thus, in some
sense, an implied 'identity' of the signer. To compute a digital signature the signer
combines this 'identity' with the data to be signed using the digital signature
algorithm.
