Filter
Top Products
CCA Release 2.54
Chapter 4. Hashing and Digital Signatures
This chapter discusses the data hashing and the digital signature techniques you
can use to determine data integrity. A digital signature may also be used to
establish the non-repudiation security property. (Another approach to data integrity
based on DES message authentication codes is discussed in Chapter 6, “Data
Confidentiality and Data Integrity.”)
Data integrity and data authentication techniques enable you to determine that
a data object (a string of bytes) has not been altered from some known state.
Non-repudiation permits you to assert that the originator of a digital signature
may not later deny having created the digital signature.
This section explains how to determine the integrity of data. Determining data
integrity involves determining whether individual values of a string of bytes have
been altered. Two techniques are described:
Digital signatures
Hashing.
Digital signatures use both hashing and public-key cryptography.
Figure 4-1. Hashing and Digital Signature Services
Verb Page Service Entry
Point
Svc
Lcn
Digital_Signature_Generate 4-4 This verb generates a digital signature. CSNDDSG E
Digital_Signature_Verify 4-7 This verb verifies a digital signature. CSNDDSV E
MDC_Generate 4-10 This verb generates a hash using the Modification
Detection Code (MDC) one-way function.
CSNBMDG E
One_Way_Hash 4-13 This verb generates a hash using any of the SHA-1, MD5,
or RIPEMD160 one-way hashing functions.
CSNBOWH S/E
Service location (Svc Lcn): E=Cryptographic Engine, S=Security API software
Hashing
Data hashing functions have long been used to determine the integrity of a block of
data. The application of a hash function to a data string produces a quantity called
a hash value (also referred to as a hash, a message digest, or a “fingerprint”).
Common hashing functions produce hash values of 128 or 160 bits. While many
different strings supplied to a given hashing function will produce the same
hash-value, it is computationally infeasible to determine a modification to a data
string that will result in a desired hash-value.
Hash functions for data integrity applications have a one-way property: given a
hash value, it is highly improbable that a second data string can be found that will
hash to the same value as the original. Consequently, if a hash value for a string
is known, you can compute the hash value for another string suspected to be the
same and compare the two hash values. If both hash values are identical, there is
a very high probability that the strings producing them are identical.
Copyright IBM Corp. 1997, 2005 4-1