• Advertisement
Sign in to follow this  

[web] [ignore me] Server side RSA (or similar) data signing

This topic is 4345 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Hello, I hope someone can help me out here. The app I'm currently working on requires some form of signed license keys for users. Ie, asymetric encryption. So I was thinking RSA. The problem is my app is .net based, and the server is only capable of running php/cgi code. So I need an RSA implementation in either php or cgi. I haven't been able to find a suitable implementation in either yet. I basically need something that can run on the server and generate a validation signature for a smallish block of data (always 2k). My application is written in .net, so it's using the standard RSA crypto providers in the framework. I managed to find a rsa implementation for PHP on the following site: http://pear.php.net/package/Crypt_RSA/ however, it's results don't seem very reliable. I'm *assuming* RSA is a standardised algorithm, so any implementation should give the same results? I've double checked how this example generates the hash (uses SHA1, then encrypts the hash), which seems correct, however if I do exactly this (manually or not) in .net I always get different outputs. I have been very careful to use the same keys too. Needless to say I do not want to reverse engineer either implementation. Does anyone know of any other implementations? I'd greatly appreciate any help here. Cheers. [Edited by - RipTorn on May 31, 2006 10:10:19 PM]

Share this post


Link to post
Share on other sites
Advertisement
A quick read of Wikipedia's RSA and SHA-1 pages doesn't show that either algorithm uses a "salt" of any sort (causing different results each time), but it's possible (I'm no crypto expert). I suggest you try encrypting/signing the same message multiple times in both PHP and .NET. Do you get different signatures using the same platform? Can you verify a signature in PHP that was generated by .NET and vice versa? If so, I wouldn't worry about it.

Share this post


Link to post
Share on other sites
exactly, it shouldn't be salting anything (although as I say, a briefe look into the code suggested there was a constant 'salt' in the php code).

I may not have been clear when I said " in .net I always get different outputs" by that I mean the outputs are always different to the PHP code.

Simply, the idea is that I can attach a signature to the end of a file. This signature can be generated on the server with the private key, and can be verified on the client with the public key. However, the data cannot change without the signature becomming invalid, and as the private key is safe on the server, little bobby can't go off and start mass producing license files (because he can't generate the signature).

think a zip file with two passwords, one to encrypt, one to decrypt. You keep the encrypt private (to encrypt the hash) and keep the decrypt key public, so the encrypted hash can be decrypted and verified.

Quote:

Can you verify a signature in PHP that was generated by .NET and vice versa?


No, I can't. Each algorithm implementation seems to produce different outputs for the same input data, same keys, etc. Which is bad. Because of the nature of the beast, it could be a single bit being wrong somewhere, but i'd never know because the output of an RSA/SHA1 encrypt/hash is designed to appear to be random.

*sigh*...

Share this post


Link to post
Share on other sites
How is the PHP output formatted? Perhaps you are getting Base64 output from PHP, and the raw binary from .NET (which you can encode in Base64 if you want)

Share this post


Link to post
Share on other sites
Salting is easy to check for. Take the same data, the same key and sign it multiple times with the same application. Do you get different signatures each time? If so, it's salting.

Share this post


Link to post
Share on other sites
no it's using a constant salt.
If it were randomly salting then it'd not be decryptable :-)

I've checked the different combinations of base64 or not at both server and client end. So I'm pretty sure it isn't the case

Share this post


Link to post
Share on other sites
*horray finally*
thanks for everyones help but I managed to sort it out.

I ended up using openSSL. I would have done this first off but I thought openSSL was a transport layer type of api, ie, sitting at the webserver level or such.

But, it has a crypto api, which has limited (but enough) exposure in PHP. I managed to get it to work after a lot of work.
It was tough getting the keys to match, etc, and in the end it took me a full day to get it going.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement