Thursday, November 6, 2014

How to RSA sign a data file using openssl

Here's a quick and easy way  for  computing a RSA signature of a data file. You can do this to ensure the data has not been compromised.

1st craft a keypair . In this example,  I've created both a 1k and 2k bit rsa-key

2nd extract the public-key. This is required  by the recipient(s).

The public-key will be shared for "everybody", but  the private-key stays .... PRIVATE!. This is the basics for any PKI

Next,  we take our data file and create a hash. We will create the signature off this hash.

NOTE: The digest I used in this example, was sha1, but any digest could have been used. It's preferred to use sha1 or better. RIPEmd160 or  higher is a good choice but is not very common across OSes platforms.

Finally we can sign the hash using the private-keys (  1024 and 2048 bits  long )

Now you can share the signature , public key & obviously the data. On the receiver side you will need to validate the signature against the data using the pub-key

note: the options -sign and  reverse -verify are the 2 crucial steps in this process.

If any thing was modify from the original data file  ;
  • the data was compromised
  • it was corrupt
  • or if the signature was compromised 

hence " The verification  would fail "

Here I took the file named  "" and used the unix "vi" to edit my original text file. I changed one character in this file. And then re-compute another hash using the same digest type and re-compared using the earlier pub-keys again.

In conclusion;

Now you can clearly see the hash doesn't compare for the data file. At this time you can compute that either the public-key was wrong,  data was compromised, the wrong digest was use, or the rsa.signatures where compromised. Basically the data can not be verified & validated from being tamper with.

NOTE: The  GNUPgp pretty much works the same way with regards to digital signatures creation, but simplifies most of this operations with a one-line single command. 

You will always need the pub-key regardless of method used ( GNUPgp or RSA ) . While using the above with openssl RSA, knowing the type of hash will be helpful.

NOTE: Openssl support messages digest types;

The signatures did not encrypt the original data  & nor did any part of the original data has changed.  With the RSA cryptographic hash functions, we are signing the hash for the datafile which is just as good as signing the data.

So we are able to build a fingerprint for our data and with the public-key we can now allow anybody to verify this fingerprint. This allows us to build and confirm the identify of the file that the sender is indeed the owner of the data file.

Just keep in mind a digital signature is a two part process "the signing and verification"
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  *  * )=
      /  \

No comments:

Post a Comment