DEVHIDE
Login Or Sign up

How does the verification server recognize which public key to use in RSA?

1.8k Views Asked by At

enter image description here

I am trying to implement a (simplified) RSA-like verification process in my (Java) application. The client sends a request (data + private key signature) and the server either rejects his request or processes it - depending on the signature validity.

But I don't understand how the verification server knows which public key to use for signature decryption. Indeed, no public key - nor public key ID - seem to be sent to the verification server.

Does it actually test all authorized public keys ? Or is the public key stored from a previous communication exchange ?

rsa digital-signature private-key public-key pki
Original Q&A
2

There are 2 best solutions below

0
ammcom On

As the figure you attached with the question suggests, the client sends its certificate along with the signature, the certificate contains the public key, the server checks for certificate validity and uses it to check the signature.

0
pedrofb On

The figure has several errors and some omissions, because it is probably a simplification:

  • the hash is digitally signed, not encrypted, and the signature is verified, not decrypted. The underlying cryptographic operation is not equivalent.

  • the signed data should include the certificate and the certification chain

  • if you use a known format like CMS, pkcs#7 or XMLDsig the hash to sign usually includes also a reference to the signing certificate and content-type to avoid tampering

To validate a signed document you verify the signature using the public key of the attached certificate but it is mandatory to check that the signing certificate is trusted verifying that the certificate itself or the issuing Certification Authority is present in the client's trustore.

The signature includes the certification chain because usually the truststore does not contain the intermediate CAs. The certificates of the truststore are exchanged previously

Additionaly the verification process should check that the certificate is not expired and not revoked

Note that the verification process is the same for all digital certificates in a public key infrastructure, not just RSA

Related Questions in RSA

Related Questions in DIGITAL-SIGNATURE

Related Questions in PRIVATE-KEY

Related Questions in PUBLIC-KEY

Related Questions in PKI

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.