0

When i do online banking, i sign my digital transaction with a digipass. Ive been told that it uses a RSA-based digital signature scheme. But an rsa digital signature (1024 bit for the modulus) is a much greater then length of the code that my digipass generates. How does this work? Is it the PKCS#11 specification at work? Or?

Thanks for the explanation!

Anonymous
  • 333
  • 2
  • 11

1 Answers1

1

There are several Digipass products; not all of them compute digital signatures with the meaning that cryptographers attach to this expression (i.e. RSA and its ilk). If your token is not plugged into the machine, but just generates a numeric code which you type in, then there is no RSA involved. This does not prevent some documentations from (ab)using the term "signature" in that case too (I blame Microsoft for that confusion).

PKCS#11 is an API which applications use to talk to cryptographic hardware: this API is implemented by the driver for the specific hardware you use. For a token which is not plugged in at all, then there is no hardware (from the point of view of the computer), hence no driver, hence no PKCS#11.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • Ok, but when i do a transaction, and it tells me to "enter these fiew digists into the digipass" it computes a "signature" and gives a response back to me that i have to enter on the computer. But that response is just 6 digits long, not 128 digits? So what is going here? Is the response truncated to 6 digits? How and where is RSA used in this process? Thanks for your response! – Anonymous Mar 25 '13 at 19:59
  • Well, they call it "signature" but it is not a "signature" like RSA, and no RSA is involved. A more accurate term would be a [MAC](http://en.wikipedia.org/wiki/Message_authentication_code). The digipass computes an "answer" as a MAC over the digits you enter in it, with a secret key known by the digipass and also by the bank. The bank uses the key to verify the response from the digipass. It is not _asymmetric crypto_ because the same key is used for production (in the digipass) and verification (in the bank server). – Tom Leek Mar 25 '13 at 20:04
  • Thank you! So no RSA here? Just a shared secret. So my bankcard has no PKI? Just a key? That i did not know. – Anonymous Mar 25 '13 at 20:06