Filter
Top Products
CCA Release 2.54
Anyone with access to your public key can verify your information as follows:
1. Hash the data using the same hashing algorithm that you used to create the
digital signature.
2. Decrypt the digital signature using your public key.
3. Compare the decrypted results to the hash value obtained from hashing the
data.
An equal comparison confirms that the data they possess is the same as that which
you signed. The Digital_Signature_Generate and the Digital_Signature_Verity
verbs described in this chapter perform the hash encrypting and decrypting
operations. Their requirements are as follows:
No one else should have access to your private key, and the use of the key
must be controlled so that someone else cannot sign data as though they were
you.
The verifying party must have your public key. They assure themselves that
they do have your public key through the use of one-or-more certificates from
one-or-more Certification Authorities.
Note: The verification of public keys also involves the use of digital signatures;
however, this subject is outside the scope of this manual.
The value that is encrypted and decrypted using RSA public-key technology
must be the same length in bits as the modulus of the keys. This bit-length is
normally 512, 768, 1024, or 2048. Since the hash value is either 128 or 160
bits in length, some process for formatting the hash into a structure for RSA
encrypting must be selected.
Unlike the DES algorithm, the strength of the RSA algorithm is sensitive to the
characteristics of the data being encrypted. The digital signature verbs (Verify
and Generate) support several different hash-value-formatting approaches.
The rule-array keywords for the digital signature verbs contain brief descriptions
of these formatting approaches:
– ANSI X9.31
– ISO 9796-1
– PKCS #1 block type 00
– PKCS #1 block type 01
(RSA PKCS #1 v2.0 standard, RSASSA-PKCS1-v1_5)
– Padding with zero bits.
You can also validate a digital signature using the PKA_Encrypt verb (CSNDPKE,
see page 5-75) with the ZERO-PAD option in Release 2.50 and later.
1
The receiver of data signed using digital signature techniques can, in some cases,
assert non-repudiation
2
of the data. The use of digital signatures in legally binding
situations is gaining favor as commerce is increasingly conducted through
networked communications. The techniques described in this chapter support the
most common methods of digital signing currently in use.
1
Release 2.50 currently applies only to the CCA implementation on the IBM eServer iSeries.
2
Non-repudiation means that the originator of the digital signature cannot later deny having originated the signature and, therefore,
the data.
Chapter 4. Hashing and Digital Signatures
4-3