4

I have a RFID chip that has a digital signature using RSA and has data hashed using SHA1.

I would like to compare data from the chip and user input in a program but I believe in order to do that I need the public key from the RFID (which I can get) and also the signature.

Firstly is that correct, secondly, how do I get the signature? Is it a command sent to the chip?

kalina
  • 3,354
  • 5
  • 20
  • 36
Jon
  • 143
  • 4

1 Answers1

4

Whether you need the signature depends on the signature type.

The main standard for RSA signatures is PKCS#1. With that standard, a RSA signature is "just a signature": it can be verified with the public key and the signed data, but it embeds no data by itself. The signature is an additional element. If you just want to compare the signed data with some user input, you can completely disregard both the signature and the public key, they are irrelevant (unless you want to make sure that the data you get from the RFID is "genuine", in which case you also want to verify the signature).

However, a RSA signature is as big as the RSA modulus, so, for a 1024-bit RSA key (a rather common key size), the signature is an additional 128 bytes. In the smartcard & RFID world, where storage space and network bandwidth are extremely scarce resources, they are quite fond of another RSA signature standard called ISO 9796-2 (the standard is not free, but you can have a reasonable description in section 2 of this article). That kind of signature uses a trick which allows for the embedding of some of the message data within the signature. You get the data back when you verify the signature. With a 1024-bit RSA key and SHA-1 as hash function, the signature can embed 106 bytes worth of data, so the size overhead implied by the signature is only 22 bytes.

So, if the signature is of type ISO 9796-2, you need both the public key and the signature to recover the complete data; otherwise, you would get only part of it (the data bytes beyond the 106 which can be embedded in the signature).

(Note: ISO 9796-2 has some weaknesses; with SHA-1 and its 160-bit output, you do not get 280 security, but something lower, closer to 261 bit operations. The article I link to above shows that this is workable with some massive but not-that-expensive hardware. If you want to use ISO 9796-2 in your own designs, I suggest that you select SHA-256, not SHA-1.)

I have no idea how you can get the signature, but it can certainly be obtained as easily as the signed data itself, because it would make very little sense otherwise.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Thanks for your answer, interesting points I'd not considered. If it helps I'm talking about RFID chips on e-Passports. The specifications are in this link http://www2.icao.int/en/MRTD/Downloads/Forms/AllItems.aspx?RootFolder=%2fen%2fMRTD%2fDownloads%2fDoc%209303%2fDoc%209303%20English&FolderCTID=&View=%7bC6E1DF57-954A-4BCF-BF58-D7D58D9F1FB5%7d – Jon Dec 08 '11 at 14:01
  • From a 2-minutes look at the specifications (Part 1 Volume 2), RSA signatures should follow PKCS#1 (section 8.2); but there is also some kind of active authentication which obviously relies on something which looks like ISO 9796-2 (section A6.1.3). You will probably need to read the whole specification to get a clear view of what is happening (it seems relatively complex, with multiple algorithms at several points). – Thomas Pornin Dec 08 '11 at 14:29