0

According to my understanding of computational cryptology, the body of a signed document can be retrieved disregarding whether or not the signature is authentic. However, I cannot apply this practically:

Given a pair of RSA keys private.pem and public.pem, I have signed some data:

openssl rsautl -inkey private.pem -sign -out signed.dat -in clear.txt

I believe that signed.data now has the contents of clear.txt, a hash of those contents and the actual signature, which is basically a cyphertext of the hash using the provided key. Thus, one can verify the signature and recover the body of data. Concretely:

openssl rsautl -verify -inkey public.pem -in signed.dat -pubin

To which the contents of clear.txt are output to stdout, and the file signed.dat can be considered to have an authentic signature. It is clear that to verify the signature, public.pem must be used to reverse the cyphering of the hashing of the contents and compare this result with the clear version of the hash. However, the contents themselves should also be available to anyone without the public key. They should be somewhere in cleartext or some other uncyphered format in signed.dat.

How can one obtain the content of clear.txt from signed.dat without any keys?

If I am wrong in my concepts of cryptology, I would also appreciate some clarification.

1 Answers1

1

I had to remove my answer because it was flat out wrong: the PKCS#1 v1.5 scheme for signatures used by OpenSSL is only used partially (thanks Dave for yet another insightful comment). That also means that is doesn't hash the input - but that means that it doesn't fully respect the security claims of PKCS#1 v1.5 and upwards either for that scheme. So it should really not be used that way, as it is now used as a scheme giving message recovery rather than a scheme giving signatures with appendix.

The input text is padded according to OpenSSL, and then modular exponentiation is performed using the exponent of the private key (or, more usually, the same calculation using the Chinese Remainder Theorem, but that's beside the point). If you perform modular exponentiation with the exponent of the public key they you would get back the padding and the text. However, to do that you would need the public exponent (usually set to 65537, so that's not a problem) and the modulus (which is a problem, although not as big a problem as the RSA problem itself).

So the text is indeed within the output, but you can only retrieve it if you somehow recover the public key. Earlier versions of PKCS#1 would say it is encrypted with the private key (newer versions go out of their way to explain that modular exponentiation with the private key is not encryption, even if it is the same mathematical operation that is performed). So you can then decrypt with the public key and restore the data.


Note that the RSA padding scheme used is that for signature schemes, not encryption schemes; it will always create the same result for the same message, and therefore it leaks information. So even if the public key can remain secret, RSA signature generation is not the same thing as encryption with an actual cipher (this is why AES encryption generally requires an IV).

So openssl -sign generates both a broken signature as well as broken encryption for a given message.


The solution offered was correct, kind of: if you want to have both message and signature in the same container format then you can use the openssl cms -sign options. That way you don't have to verify the signature to retrieve the plaintext.

That said, I don't see any option to output it without verification, and you need a certificate to perform the signing. Including the data (rather than creating a so called detached signature) is optional. CMS is a much higher level protocol than just RSA, so you may consider it cheating.

Maarten Bodewes
  • 4,602
  • 15
  • 29