Introduction
This tool has been coded for those who're planning to use DSA signatures in their own programs
but don't know how to generate keys which are safe to use. If you are no coder or/and are not
at least a little bit familiar with public-key cryptography, this tool is definately of no use for
you. Sorry. Next time I will probably better code some Tetris game. :-))
介绍
这个工具是为那些打算在他们自己的程序中使用DSA签名算法但不知道如何产生安全密钥的人而写的。如果你不是编程人员,或者/并且对公钥加密一点也不熟悉的话,那么可以明确地说,该工具对你毫无用处可言。对不起。下次我也许会编写一些Tetris游戏。
1. General stuff
In 1991 the Digital Signature Algorithm(DSA) has become the Digital Signature Standard(DSS).
DSA is a public-key signature scheme that uses a pair of transformations to generate and verify a
digital value called signature. DSA has been developed by the US National Security Agency(NSA)
and can -not- be used for encryption or key distribution. DSA is some variant of the ElGamal
signature algorithm and, as defined in the standard, uses the Secure Hash Algorithm(SHA/SHA-1) as one-way hash function.
1. 基本知识
1991年,数字签名算法(DSA)成为数字签名标准(DSS)。DSA是一种公钥签名方案,该方案使用一对转换以产生和验证一数字值,这个数字值即是签名。DSA由美国国家安全局(NSA)研制,它不能用于加密或者密钥分配。DSA是ElGamal签名算法的变种,并使用该标准[HT:指DSS]中定义的安全散列算法(SHA/SHA-1)作为单向散列函数。
2. Parameters
P = A prime number in range 512 to 1024 bits which must be a multiple of 64
Q = A 160 bit prime factor of P-1
G = H^((P-1)/Q) mod P. H is any number < P-1 such that H^((P-1)/Q) mod P > 1
X = A number < Q
Y = G^X mod P
Parameters P, Q, G and Y are public where Y is the public key. X is the private key and must be
kept secret! To obtain X from Y one needs to solve the Discrete Logarithm Problem which is virtually impossible for -properly- generated parameters of reasonable size.
2. 参数
P = 512位到1024位的素数,位数必须是64的整数倍
Q = P - 1的160位素因子
G = H^((P-1)/Q) mod P。其中H为任何小于P - 1,且满足H^((P-1)/Q) mod P > 1的整数
X = 一小于Q的整数
Y = G^X mod P
参数P、Q、G和Y公开,其中Y为公开密钥。X为私人密钥,必须保密!要通过Y求得X则必须解决离散对数问题,对于合适大小的正确产生的参数而言,这根本是不可能的。
3. Signing a message (M)
To sign M, carry through the following steps:
- Generate a -random- number K < Q. NEVER use same K twice or more to sign other messages!
- Compute R = (G^K mod P)mod Q
- Compute S = (K^-1*(SHA(M) + X*R)) mod Q
The number pair (R,S) is the signature of M.
3. 对消息(M)进行签名
要对M进行签名,则按以下步骤执行:
- 产生一小于Q的随机数K。永远不要把同一K使用两次或两次以上以对其它消息进行签名!
- 计算R = (G^K mod P) mod Q
- 计算S = (K^-1*(SHA(M) + X*R))mod Q
数字对(R,S)即是M的签名。
4. Verifying a signature (R,S) of M
- Compute W = S^-1 mod Q
- Compute U1 = (SHA(M) * W) mod Q
- Compute U2 = (R*W) mod Q
- Compute V = ((G^U1 * Y^U2) mod P) mod Q
If V == R the signature is verified.
4. 验证M的签名(R,S)
- 计算W = S^-1 mod Q
- 计算U1 = (SHA(M) * W) mod Q
- 计算 U2 = (R*W) mod Q
- 计算 V = ((G^U1 * Y^U2) mod P) mod Q
如果V == R,则签名有效。
5. Notes
- The bignumber library used in this program is MIRACL 4.45 (c) by Shamus Software Ltd.
It can be downloaded incl. Sources in C/CPP and manuals at: http://indigo.ie/~mscott/
Please note that the MIRACL lib is -not- free to use in commercial programs. Even worse,
the license fees are pretty high but you can, of course, use any other bignumber library.
A very good alternative is Freelip (current version 1.1)
- Base60 conversion table (as used by MIRACL):
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx
- Base64 conversion table:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Please note that the Base64 format is not supported by MIRACL. I used own routines. Conversion starts at MSB and ends at LSB of the hex representation of each number. This may be incompatible with 3rd party base64 conversion routines.
Parameters R and S of the signatures generated in the Test Dialog are separated by a <space>.
- A small part of the DSA parameter generation uses some random data as seed value for a PRNG. This generator will NOT be re-initialized during runtime. I.e. you will get different DSA keys every time you press the Generate button. This is done on purpose, as it makes abusing this tool to recover a Keypair much more difficult. Generated random data will be saved to file 'dsaseed.rnd' and loaded automoatically on each start of the program.
