3

I'm having problems understanding what is meant by "digital signature with partial recovery". I found from Google that digital signature with recovery should mean that the message is recoverable from the signature? Is that right? As I understand about the signature is that I need the public key to "unwrap" the signature. Document what im refering in my case says:

The certificate issued is a digital signature with partial recovery of the certificate content in accordance with ISO/IEC 9796-2

So what would be the steps or whats should I use to recover the message? Bouncycastle? CryptoAPI? ()

Rory Alsop
  • 61,507
  • 12
  • 118
  • 322
hs2d
  • 133
  • 3

2 Answers2

1

Generally ISO/IEC 9796-2 digital signature scheme is used in cases where the memory footprints of the underlying platform are lower or the data to be signed is very small. Ideally it is not suited for signing some documents etc. For signing documents in the PC environment one can resort PKCS 1 signature schemes with PKCS 7 signed data where we can have envelopes containing the data and certificate. Lets assume a RSA Key Pair with modulus size of 128 bytes; typically with padding schemes the data which we can encipher to generate a signature is around in the range of 70-80 bytes. In 9796 the size of data which can be encrypted is slightly higher.

In 9796 scheme, the data either full or partial is part of the data which is to be encrypyted to generate signature which in normal PKCS 1 case, data to be encrypted is the digest of the actual data. In latter case for verification; a copy of actual data is required.

Now coming to certificates; in general PC environment we are used to X509 certificates which are bulky in footprint for constrained environment like smart cards or terminal devices. In constrained environment; instead of X509 certs a simple TLV based certificate is used which makes it easier for the reader to read the certificate. So when a certificate is presented in the 9796 scheme, the certificate is part of the signature. There are some digest also included in the data to be encrypted like a pattern of sort M1|Digest|M2. You can refer the 9796-2 specification for more information. I am taking the pattern as general description. Here M1 is recoverable part and M2 can be either recoverable or empty. If M2 is empty than the signature verification device needs the M2 through some other means. In this case the reader just needs the public key of the CA to validate the signature and extract the certificate. The digest in the pattern is digest over M1|M2 in some order. Usually EMV (Euro Master Visa) and other payment card industry uses 9796 schemes. Also many of Electronic Id cards uses the scheme.

Mohit Sethi
  • 702
  • 4
  • 7
1

A "digital signature with partial recovery" is a special kind of digital signature, with one advantage: it often adds less overhead to the length of a signed message, compared to other digital signatures.

For example, if you sign a 100-bit message with 2048-bit RSA (without any support for message recovery), then the length of the signed message will be 100+2048 = 2148 bits. On the other hand, if you signed that message using a scheme with partial message recovery, the length of the signed message might be (for instance) 2048 bits.

The exact impact on message length depends upon various parameters: for instance, the length of the message, the length of the signature field, the amount of message recovery supported. So I can't give you a simple formula to tell you how much of an advantage "partial recovery" will be in any particular application setting.

But this tells you in what circumstances you might be interested in a "digital signature with partial recovery": namely, those where the impact on message lengths is critical. (In those circumstances, you might also want to look at ECC digital signature schemes, and compare the impact on message lengths in your particular application.)

D.W.
  • 99,525
  • 33
  • 275
  • 596