Cryptography and .NET - Part 5 (Digital Signatures)

Introduction

In the previous article of this series (Part 1, Part 2, Part 3, Part 4) we learnt to create hash values. Continuing our journey ahead we will cover Digital Signatures. Digital signatures are used to verify identity of the sender and ensure data integrity. They are often used along with public key encryption.

How Digital Signature work

In Part 1 we mentioned how digital signatures work.

1. Sender applies hash algorithm to the data being sent and creates a message digest. Message digest is compact representation of the data being sent.
2. Sender then encrypts the message digest with the private key to get a digital signature
3. Sender sends the data over a secure channel
4. Receiver receives the data and decrypts the digital signature using public key and retrieves the message digest
5. Receiver applies the same hash algorithm as the sender to the data and creates a new message digest
6. If sender's digest and receiver's digest match then it means that the message really came from the said sender.

Related classes

.NET Framework provides classes RSACryptoServiceProvider, RSAPKCS1SignatureFormatter and RSAPKCS1SignatureDeformatter that allow you create and verify digital signatures. All of them reside in System.Security.Cryptography namespace

Example

In this example we will be creating a class called DigitalSignatureHelper that allows us to generate digital signatures and verify signatures. Note in order to run this example you need MD5HashHelper that we developed in the previous part. 

public class DigitalSignatureHelper
{
RSAParameters m_private;
RSAParameters m_public;

public byte[] CreateSignature(byte[] hash)
{
RSACryptoServiceProvider RSA = 
new RSACryptoServiceProvider();
RSAPKCS1SignatureFormatter RSAFormatter = 
new RSAPKCS1SignatureFormatter(RSA);
RSAFormatter.SetHashAlgorithm("MD5");
m_public=RSA.ExportParameters(false);
m_private=RSA.ExportParameters(true);
return RSAFormatter.CreateSignature(hash);
}

public bool VerifySignature(byte[] hash,byte[] signedhash)
{
RSACryptoServiceProvider RSA = new RSACryptoServiceProvider();
RSAParameters RSAKeyInfo=new RSAParameters();
RSAKeyInfo.Modulus = m_public.Modulus;
RSAKeyInfo.Exponent = m_public.Exponent;
RSA.ImportParameters(RSAKeyInfo);
RSAPKCS1SignatureDeformatter RSADeformatter = 
new RSAPKCS1SignatureDeformatter(RSA);
RSADeformatter.SetHashAlgorithm("MD5");
return RSADeformatter.VerifySignature(hash, signedhash);
}
}

Let's understand the code step-by-step.

• We create a class called DigitalSignatureHelper with two private variables and two methods.
• The class level variables m_private and m_public are of type RSAParameters and are used to store public and private key information.
• The method CreateSignature() accepts the hash value that has to be signed and returns the digitally signed hash as a return value
• Inside this function we create an instance of a class called RSACryptoServiceProvider.
• We also create an instance of a class called RSAPKCS1SignatureFormatter and pass the instance of RSACryptoServiceProvider in its constructor.
• The RSAPKCS1SignatureFormatter class is used to create PKCS #1 (Public Key Cryptographic Signature) version 1.5 signature. Where as RSACryptoServiceProvider provides encryption services.
• Since we will be using MD5 as a hashing algorithm, we call SetHashAlgorithm() method of  RSAPKCS1SignatureFormatter and pass "MD5" as a parameter. If your hashing algorithm is SHA1 you would have passed SHA1 instead.
• Then we call ExportParameters() method of RSACryptoServiceProvider to get public and private keys generated. We store these keys the class level variables m_public and m_private respectively.
• Finally we call CreateSignature() method of RSAPKCS1SignatureFormatter class which returns the signature. The same is returned as the return value of the function.
• The VerifySignature() method accepts two parameters - original hash value and signed hash value. It compares the hashes and return true if they match.
• Inside this function we create an instance of  RSACryptoServiceProvider class.
• We need to supply key information during signature verification and hence we create an instance of RSAParameters structure.
• The Modulus and Exponent properties of this structure are set to the equivalent properties of previously obtained public key (m_public).
• We then call ImportParameters() method of RSACryptoServiceProvider to import the key information into the instance.
• Then we create an instance of RSAPKCS1SignatureDeformatter class. This class is used to verify RSA PKCS #1 version 1.5 signatures.
• Again, we set the hashing algorithm to MD5 using SetHashAlgorithm() method of RSAPKCS1SignatureDeformatter class.
• Finally we call VerifySignature() method of RSAPKCS1SignatureDeformatter class and pass original hash value and signed hash value to it. This method returns true if the signature is verified successfully else it returns false. The same return value is returned as to the caller.

Download

Complete source code along with a sample usage is available for download with this article (see top).

Summary

In this article we learnt about digital signatures. Digital signatures allow you to verify that the data came from known sender. The classes RSACryptoServiceProvider, RSAPKCS1SignatureFormatter and RSAPKCS1SignatureDeformatter from System.Security.Cryptography allow you to work with digital signatures.