Webcrypto API/algorithm to encrypt, decrypt and also sign, verify

Question

I am trying to achieve asymmetric encryption and trying to send a string via an unsafe transport channel. I am using the RSA-OAEP algorithm to encrypt my data. I encrypt the string using the public key, however at the receivers end I would like to verify that the encrypted string was not changed (during transport).

A look at the API reveals that there is no sign, verify functionality available with the RSA-OAEP algorithm. I was thinking of tacking a hash (potentially SHA-based) with the string and verifying this at the receiver. Is this sound from a security perspective? Is there an API (that uses RSA) that lets me achieve encrypt, decrypt, sign, verify functions using the same algorithm.

Answer 1

No, OAEP cannot be used for signing as it doesn't (and shouldn't) use a private key for encryption. See the answer here. Just encrypting the hash doesn't work as anybody may encrypt any hash.

You should sign with your private key so the receiver can verify the hash with your trusted public key. Algorithms to do this are RSA with PKCS#1 v1.5 padding for signature generation and the newer RSA-PSS. Most API's that contain OAEP (Optimal Asymmetric Encryption Padding) should also contain signature generation & verification functionality.

All these protocols have been described in RFC 3447 (which contains PKCS#1 v2.1). The Webcrypto API also contains these primitives. The main problem with the Webcrypto API is that it doesn't seem geared to establishing the trust relation, which is fundamental to most cryptographic operations.