IBM Crypto Education Community

Back to discussions
Expand all | Collapse all

Meaning of ASN.1 BER Hash-Prefix for digital signature verify (CSNDDSV - PKCS-1.1)

  • 1.  Meaning of ASN.1 BER Hash-Prefix for digital signature verify (CSNDDSV - PKCS-1.1)

    Posted Thu July 02, 2015 07:28 AM

    To perform a digital signature verify (CSNDDSV) with Rule 'PKCS-1.1' it is necessary to ASN.1 BER encode the used hash.
    In appendix E, chapter "PKCS #1 Formats" of the ICSF Application Programmer's Guide some prefixes to be used are listed.
    As far as I understood they refer to RFC 3447: PKCS #1: RSA Cryptography Specifications (http://tools.ietf.org/html/rfc3447#page-43).

    It would be nice if anyone could explain the meaning of the different Bytes in the ASN.1 BER Prefix. For example using the hash-prefix provided in this sample.



    INITIALIZE CSNDDSV-PARMS

    MOVE 1                                         TO CSNDDSV-RULE-ARRAY-COUNT
    MOVE 'PKCS-1.1'                                TO CSNDDSV-RULE

    MOVE 64                                        TO CSNDDSV-PKA-PK-ID-LENGTH  
    MOVE <Name of Public Key>                      TO CSNDDSV-PKA-PK-ID         

    MOVE X'3031300D060960864801650304020105000420' TO WORK-HASH-PREFIX-SHA256
    MOVE LENGTH OF WORK-HASH-PREFIX-SHA256         TO CSNDDSV-HASH-LENGTH
    ADD  LENGTH OF <SHA-256 Hash>                  TO CSNDDSV-HASH-LENGTH
    STRING WORK-HASH-PREFIX-SHA256                         
           <SHA-256 Hash>  DELIMITED BY SIZE     INTO CSNDDSV-HASH                                                                

    MOVE LENGTH OF <Binary Signature>              TO CSNDDSV-SIGNATURE-LAENGE
    MOVE <Binary Signature>                        TO CSNDDSV-SIGN-FIELD
     

    CALL CSNDDSV USING
         CSNDDSV-RC,              
         CSNDDSV-RSN,             
         CSNDDSV-EXIT-DATA-LENGTH,
         CSNDDSV-EXIT-DATA,       
         CSNDDSV-RULE-ARRAY-COUNT,
         CSNDDSV-RULE-ARRAY,      
         CSNDDSV-PKA-PK-ID-LENGTH,
         CSNDDSV-PKA-PK-ID,       
         CSNDDSV-HASH-LENGTH,     
         CSNDDSV-HASH,            
         CSNDDSV-SIGN-FIELD-LENGTH,
         CSNDDSV-SIGN-FIELD

    IF   CSNDDSV-RC NOT EQUALS ZERO ...    -RC NOT EQUALS ZERO ...

     

     

    Olaf_Warnecke


  • 2.  Re: Meaning of ASN.1 BER Hash-Prefix for digital signature verify (CSNDDSV - PKCS-1.1)

    Posted Sat March 05, 2016 11:57 AM

    Hi Olaf,

    I'll try to explain based on your example... X'3031300D060960864801650304020105000420'

    (Just FYI... this ASN.1 link is one of my favorite references... http://luca.ntop.org/Teaching/Appunti/asn1.html)

    First, let's break up the DER encoding...

    30 31
       30 0D
          06 09 60 86 48 01 65 03 04 02 01
          05 00
       04 20

    A DER encoding generally has the format IDENTIFIER || LENGTH || CONTENTS

    1. The first octet in the sample is the identifier, '30'x, which is '00110000'b. The last 5 bits represent the tag number which is '10'x. When you look up tag '10'x (see the link above) it is a SEQUENCE. Since it's a sequence, the content will be nested.
    2. The second octet is the length which is '31'x which is 49 (decimal). The value is slightly misleading since the count of the number of octets in the sample is 19! I'll explain this a little later. ;-)
    3. The third octet starts the content which turns out to be another sequence ('30'x).
      1. The identifier octet in the inner sequence is '06'x which is '00000110'b. So the tag number is '06'x which is an OBJECT IDENTIFIER (or OID).
      2. The length octet in the inner sequence is '09'x which is the length of the object identifier.
      3. The contents octet in the inner sequence is '608648016503040201' which represents id-sha256 (2.16.840.1.101.3.4.2.1) in BER encoding. [The ASN.1 link above explains how the OID is converted to DER encoding. This NIST page gives the formal OID name for crypto algorithms.]
      4. The next identifier octet in the inner sequence is '05'x which is '00000101'b which is NULL. It's following by a length octet of zero ('00'x). Now the inner sequence is complete. Notice that there were 13 octets matching the '0D'x length for the sequence.
    4. The next identifier octet is '04'x which is an OCTET STRING. An OCTET STRING is just an arbitrary string of octets. The length identifier is '20'x which is 32 decimal.
    5. But notice that the content octets are missing. That's probably why this example is considered a prefix. This prefix DER encoding would be prepended to the actual 32-byte SHA-256 hash. When that hash is added to the DER encoding, you'll have the full length ('31'x or 49 dec) defined in the first length octet.

    Hopefully this helps but let me know if anything is unclear/confusing or if I misinterpreted the question.

    P.S. It had been awhile since I looked at DER encodings! Good question. :-)

    Eysha Shirrine


  • 3.  AW: Re: Meaning of ASN.1 BER Hash-Prefix for digital signature verify (CSNDDSV - PKCS-1.1)

    Posted Sat March 05, 2016 11:57 AM

    Thank you very much Eysha for the very clear explanation!

    To memorize better I put your information into a table. Perhaps it might be interesting for the community:

     

     

    Tag

    Length

    Value

     

    30

    31

     

    X'30'à    b'00110000'
                    00            à universal class
                    1              à constructed, defined-length method
                    10000      à universal class tag b'10000' à x'10' à SEQUENCE

    Structured type SEQUENCE, an ordered collection of one or more types.

    In this sample there are the following two types
    another sequence containing the message hash algorithm identifier (30 0D …)
    an octet string containing a hash (04 20 …

    The length of 49 Bytes (x'31') adds up as follows:
       1 Byte (x'30') + 1 Byte ('x0D') + 13 Bytes (length x'0D')
    + 1 Byte (x'04') + 1 Byte (x'20') + 32 Bytes (length x'20')

    30
     

    0D
     

     

    X'30'à    b'00110000'
                    00            à universal class
                    1              à constructed, defined-length method
                    10000      à universal class tag b'10000' à x'10' à SEQUENCE

    Structured type SEQUENCE, an ordered collection of one or more types.

    In this sample there are the following two types
                    Object identifier 06 09 60 86 48 01 65 03 04 02 01  
                    NULL-Value 05 00

    The length of 13 Bytes (x'0D') adds up the length of the two above types:
       1  Byte (x'06') + 1 Byte (x'09') + 9 Bytes (x'60 86 48 01 65 03 04 02 01 ')
    + 1 Byte (x'05') + 1 Byte (x'00')  + 0 Bytes

    06

    09

    60 86 48 01 65 03 04 02 01

    X'06'à    b'00000110'
                    00            à universal class
                    0              à primitive, defined-length method
                    00110      à universal class tag b'00110' à x'06' à OBJECT IDENTIFIER

    OBJECT IDENTIFIER, which is a sequence of integer components that identify an object such as an algorithm or attribute type.

    The object identifier in this sample contains the 9 (x'09') Bytes 60 86 48 01 65 03 04 02 01  

    60 86 48 01 65 03 04 02 01 defines the message hash algorithm SHA-256

    (à https://tools.ietf.org/html/rfc3447 )

    05

    00

     

    X'05'à    b'00000101'
                    00            à universal class
                    0              à primitive, defined-length method
                    00101      à universal class tag b'00101' à x'05' à NULL

    NULL, The NULL type is used for algorithm parameters in several places in PKCS.

    The length of NULL is 0 (x'00')

    04

    20

      <sha-256-hash>

    X'04'à    b'00000100'
                    00            à universal class
                    0              à primitive, defined-length method
                    00100      à universal class tag b'00100' à x'04' à OCTET STRING

    OCTET STRING, an arbitrary string of octets (eight-bit values).
     in this sample the octet string contains the SHA-256 hash of the signed data.

    The length of a sha-256-hash is 32 Bytes (x'20')

    In the COBOL-modul the 32 Bytes sha-256-hash is concatenated.

     

    Olaf_Warnecke


  • 4.  AW: Re: Meaning of ASN.1 BER Hash-Prefix for digital signature verify (CSNDDSV - PKCS-1.1)

    Posted Sat March 05, 2016 11:57 AM

    Good idea! Great format!

    Eysha Shirrine