10

After coming across this question in the Hot Network Questions section and reading the related blog post by Google, I'm starting to become curious as to what role these hash functions play in TLS/SSL certificate validation.

I was under the impression that an SSL certificate was just a link between a set of domain names and a public key (the site owner's public key to be precise), cryptographically signed by the private key of a certificate authority. Why is a hash function needed for validating it?

Ajedi32
  • 4,695
  • 2
  • 26
  • 61
  • 1
    Because signing uses a hash; explained in wikipedia and http://crypto.stackexchange.com/questions/845/what-is-wrong-with-using-sha1-in-digital-signatures-why-is-a-robust-hash-functi http://crypto.stackexchange.com/questions/12768/why-hash-the-message-before-signing-it-digital-signature-with-rsa http://crypto.stackexchange.com/questions/15295/why-the-need-to-hash-before-signing-small-data http://security.stackexchange.com/questions/61289/why-rsa-signatures-based-on-the-hash-of-the-message – dave_thompson_085 Sep 17 '14 at 05:11

2 Answers2

15

Basically, hash functions are a necessary part of the process of creating a digital signature.

Most signature algorithms are not designed to be able to securely and/or efficiently sign long messages directly, so the first step of each algorithm is usually to hash the message being signed, reducing it to a fixed length which the rest of the signature algorithm is able to effectively process. Similarly, signature verification algorithms involve hashing the message being verified, then performing some set of operations on the signature to check whether it corresponds to that hash.

For example, with RSA signatures the signature can be thought of as a hash of the data being signed, "encrypted" with the signer's private key:

Diagram illustrating how a simple RSA digital signature is applied and verified. Image from the Wikimedia Commons

The verification process involves "decrypting" the signature (using the signer's public key), and comparing the resulting hash with the hash of the data the signature applies to. In the case of SSL certificates, the data is the SSL certificate itself.

Note: I wrote "encrypted" and "decrypting" in quotes here because in reality the operations used in the RSA signature algorithm aren't exactly the same as those used for RSA encryption. They are close enough though to make for an effective analogy here. With other signature algorithms like ECDSA, the signing and verification algorithms are totally different, not involving "encryption" or really anything resembling the process above, but the message is still hashed as part of the signing and verification process.

For more detailed information on the use of hashing in specific signature algorithms, see:

This answer was derived from reading the questions linked in dave_thompson_085's comment.

Ajedi32
  • 4,695
  • 2
  • 26
  • 61
  • Nice explanation, but I require one extra piece of information regarding this process: is the CA, or any intermediate able to validate the hash? I can't find this kind of information anywhere... – HellBaby Apr 13 '22 at 21:33
2

Usually, digital signatures are not actually applied to the full data. Instead, the data (in the case the x.509 certificate) is hashed, and only the resulting hash is signed.

If this were not the case, digital signatures would end up being at least as large as the message itself, and signing / verifying the files would be less efficient.

This means, however, that if an attacker can generate a fake certificate using his own public / private key pair with the same hash as the legitimate certificate, the forged certificate can pass validation checks, and can be used to execute a man-in-the-middle attack.

lzam
  • 882
  • 5
  • 16
  • Hmm, so it's just for performance reasons? Sounds reasonable I guess... – Ajedi32 Sep 17 '14 at 13:20
  • it is the message digest that is encrypted with the private key and attached as a signature then it's sent over the network along with the message itself and the the sender's signed public key – cyzczy Jul 20 '16 at 14:48