Reputation: 3
Could I sign an AES GCM encryption of the data instead of a SHA-256 hash for RSASSA-PSS?
I'm trying to optimize my signature and verification scheme for an embedded device and I'm finding race conditions at just 0.5s/verification. Instead of making the device compute the SHA-256 hash of the data, could I just use an AES encryption and sign that with PSS to accelerate the process, or does it need to be a hashing algorithm?
Upvotes: 0
Views: 709
Answers (2)
Reputation: 76559
In general, RSA-PSS requires a hash algorithm for the mask generation function and other operations, so it's doubtful that you could actually make RSA-PSS work in any functional way with something that is not a hash algorithm.
The idea you're proposing is also likely insecure, so even if you could get it to work, it wouldn't be effective as a signature scheme, since it could probably be forged. That's because AES, unlike a hash function, allows users to invert the operation (that is, decrypt), so an attacker who knows the key (which, if you hard-code it, they do) can likely create arbitrary messages to sign.
For a secure digital signature, you really need a secure hash algorithm, which means that you need something like SHA-2, SHA-3, or similar (MD5 and SHA-1 are not secure and should not be used). If possible, I would investigate a possibly more performant SHA-256 implementation here. You could also try the hash algorithm BLAKE2s, which is both cryptographically secure and much faster in software than SHA-256, and may meet your needs better.
Upvotes: 0
Reputation: 33108
If you’re asking if the concept could work: sure. You could pigeon hole the tag as a 128-bit hash output and, provided you’re calling API that accepts the pre-computed hash everything would work (provided you told the PSS operations they were using a 128 but hash algorithm).
But no one else would be able to verify your signature, because that’s not a predefined way of doing RSASSA-PSS. And you’d have a “public only” verification problem… the only way someone can know if the tag matched the data was to also have the encryption key, so you would have to embed the key and nonce in the signature parameters (a really bad idea) or just be a private/application protocol.
So, it could be done, but it won’t interoperate, and it’s almost guaranteed never to be a standard because it can’t be used by implementations that don’t accept pre-computed hashes (without forcing the scheme to plaintext transport the content encryption key).
Upvotes: 1
Related Questions
- Sign sha256 hash with RSA using pkcs#11 api?
- RSA and SHA-256 encryption for signing using PHP
- How to make “MessageDigest SHA-256 and Signature RSASSA-PSS” equivalent to “Signature SHA256withRSA/PSS ”
- Is there any way to generate PSS padded signatures in PHP?
- Can RSACryptoServiceProvider (.NET's RSA) use SHA256 for encryption (not signing) instead of SHA1?
- Using symmetric key (AES -128) to sign and verify a message
- Why is SHA256 and invalid hash algorithm when signing with RSA?
- Signing with encrypted RSA key fails using jsrsasign
- Can AES Encryption and RSA Digital Signature Scheme work together for file encryption?
- Can RSA be both used as encryption and signature?