AUTACK messages and ISO/IEC 9796-1 signatures

Specialist options have been added [version 3.3] to enable users to create digital signatures suitable for use in an AUTACK message (see references [SIEM99] and [EDIFACT]). This method uses a modified version of RSA (RSA2 in P1363 parlance) together with ISO 9796-1 formatting.

To create such a digital signature, the user must carry out the following operations in sequence:

1. Create the message digest hash of the message to be signed using HASH_Bytes() function.
2. Encode (encapsulate) this message digest in ISO 9796-1 format using RSA_EncodeMsg().
3. Sign, i.e. encrypt with the private RSA key, using RSA_RawPrivate().

Specific changes to enable this:

• Amended the RSA_FromXMLString function to allow the import of a restricted RSA private key from XML data consisting only of the <Modulus>, <Exponent> and <D> fields. The resulting "internal" key string can be used to sign raw data but cannot be saved in a private key file. We do this so we can reproduce the examples in [EDIFACT] (and discover an error in one of their examples!)
• Added a PKI_EMSIG_ISO9796 option to the RSA_EncodeMsg and RSA_DecodeMsg functions to enable the user to encode and decode a message according to ISO/IEC 9796-1. If this option is used, the message is encoded directly without the applicaton of any message digest algorithm. It assumes that the RSA key length is exactly equal to the output length and that the most significant bit of the key modulus is set. The user has to explicitly add the length of the key modulus in bits to the option. Yes, messy.
• Added an option to the RSA_RawPrivate and RSA_RawPublic functions to sign and decrypt RSA signatures using the slightly modified method used in ISO/IEC 9796-1 and ANSI X9.31. The user must explicitly add the option 0x6 or 0xC to nominate that the message representative f is congruent to either 6 or 12, depending on which variant they are using. Being congruent to 6 or 12 means that the last nibble of the message representative is either 0x6 or 0xC. Autack requires the last nibble to be 0x6 and X9.31 requires it to be 0xC.

The method used in ISO 9796-1 has been shown to be insecure for signing plain text messages, i.e. signatures can be forged. However, it is still considered to be secure when used to encode a message digest, as done in the Autack method.

For full sample code that shows how to sign and verify a message using Autack, see our Autack page.

There are two steps:

1. Encode (pad) the message into a block the same size as the key: ISO/IEC 9796-1 Formatting.
2. Sign (encrypt) the block using RSA in a particular manner: RSA2 Signing.