简体繁体 English

使用椭圆曲线密码学验证签名

[英]Verify signature using elliptic curve cryptography

原文 2011-09-12 09:38:54 6 2 java/ security/ digital-signature/ jce/ elliptic-curve

I need to verify a signature of a message which contains several values. 我需要验证包含多个值的消息的签名。 The only parameters I have are the signature, the public key and the values itself. 我仅有的参数是签名，公钥和值本身。 The algorithm used for creating the signature is eliptic curve cryptography with 192 bit. 用于创建签名的算法是具有192位的椭圆曲线密码学。 I allready tried to find code examples on the net but I didn't find anything for this case. 我已经准备尝试在网上查找代码示例，但是在这种情况下我什么都没找到。

Has anybody experiences with this algorithm using java for verification? 使用Java进行验证时，有人对这种算法有经验吗？ Could you please provide code or a link to an example? 您能否提供代码或示例链接？

Thank you for your help! 谢谢您的帮助！

2 个解决方案

You are a bit short on information there... 您那里的信息有点短缺...

There are several signature schemes which use elliptic curves, but the most widespread (by far) is ECDSA . 有几种使用椭圆曲线的签名方案，但是最广泛的（到目前为止）是ECDSA 。 You must then worry about the following points: 然后，您必须担心以下几点：

Signature operates on a sequence of bits. 签名对位序列进行操作。 Every single data bit must be correct. 每个数据位必须正确。 Here, you have "values" so there must be an encoding of those values into a sequence of bits (or bytes). 在这里，您具有“值”，因此必须将这些值编码为一系列位（或字节）。 To verify the signature, you must use the same encoding than the one used to generate the signature. 要验证签名，您必须使用与用于生成签名的编码相同的编码。
ECDSA begins by hashing the input data with a cryptographic hash function . ECDSA首先使用密码哈希函数对输入数据进行哈希处理。 There again, you must use the same one than what was used for generating the signature. 同样，您必须使用与用于生成签名相同的签名。 As a wild guess, I would say that the hash function is probably SHA-1 . 作为一个疯狂的猜测，我会说哈希函数可能是SHA-1 。
ECDSA operates in an elliptic curve . ECDSA以椭圆曲线运行。 The curve size is not enough to define the curve: there are many 192-bit curves. 曲线的大小不足以定义曲线：有很多192位曲线。 However, since defining your own curve is hard, most people use one curve among the 15 curves defined in FIPS 186-3 . 但是，由于定义自己的曲线很困难，因此大多数人都使用FIPS 186-3中定义的15条曲线中的一条。 One of those 15 curves has a "192-bit size" (it is called "P-192") so chances are that the signature uses that curve. 这15条曲线中的一条具有“ 192位大小”（称为“ P-192”），因此签名很有可能使用该曲线。
An ECDSA public key is the encoding of a curve point. ECDSA公钥是曲线点的编码。 A curve point is, nominally, a pair of integers (X, Y) (these are the "coordinates" of the point). 曲线点名义上是一对整数（X，Y） （这些是该点的“坐标”）。 These integers are from the base field in which the curve lives; 这些整数来自曲线所在的基本字段。 for the P-192 curve, the coordinates are 192-bit integers. 对于P-192曲线，坐标是192位整数。 The "normal" encoding for such a public key is then a 49-byte string: the first byte will be 0x02, followed by the big-endian unsigned encoding of X (24 bytes), then the unsigned encoding of Y (24 bytes). 这样的公钥的“正常”编码是一个49字节的字符串：第一个字节将是0x02，然后是big-endian无符号X编码（24字节），然后是Y的无符号编码（24字节）。。 Other encodings are possible. 其他编码也是可能的。
An ECDSA signature formally consists in two integer values, usually called r and s (192-bit integers too). ECDSA签名正式包含两个整数值，通常称为r和s （也称为192位整数）。 There again, the signature you have is probably a sequence of bytes which is an encoding of the two integers. 同样，您拥有的签名可能是字节序列，是两个整数的编码。 There are two common encodings, one being a raw big-endian unsigned encoding of both value (hence a 48-byte signature), the other using ASN.1 (for a signature of length 53 or 54 bytes, or so). 有两种常见的编码，一种是两种值的原始big-endian无符号编码（因此为48字节签名），另一种是使用ASN.1（长度为53或54字节左右的签名）。

Using Bouncy Castle , as @Ashkan suggests, is a good idea. 正如@Ashkan所建议的那样，使用Bouncy Castle是一个好主意。 But, as you see, there are quite a lot of assumptions to do about your situation. 但是，正如您所看到的，有关您的情况有很多假设。 If you want to gain a thorough understanding of what is going on, buy a copy of ANSI X9.62:2005 (the ECDSA standard). 如果要全面了解发生的情况，请购买ANSI X9.62：2005 （ECDSA标准）的副本。 Be warned that the mathematical contents are quite heavy. 请注意，数学内容相当繁重。