Programming .NET Security : Programming Digital Signatures (part 1) - Using the Abstract Class

The .NET Framework groups encryption and digital signature algorithms together as subclasses of the AsymmetricAlgorithm class. Figure 1 depicts the .NET class hierarchy for digital signature algorithms, which differs from the encryption algorithm hierarchy only because of the addition of the signature-only DSA support.

Figure 1. The .NET Framework class hierarchy for digital signature algorithms

The general lack of consistency between the abstract algorithm classes (RSA and DSA) and their implementation counterparts (RSACryptoServiceProvider and DSACryptoServiceProvider) means that there are several equivalent ways to accomplish signature operations, which we demonstrate in the following sections.

1. Using the Abstract Class

The abstract System.Security.Cryptography.DSA class defines the CreateSignature method, which accepts a SHA-1 hash code that will be PKCS #1 formatted and signed, as the following example demonstrates (we have omitted the process of specifying the key pair to use):

# C#

// create the plaintext
byte[] x_plaintext = Encoding.Default.GetBytes("Programming .NET Security");

// create the SHA-1 algorithm instance and create a hash code for the plaintext
SHA1 x_sha = SHA1.Create(  );
byte[] x_hashcode = x_sha.ComputeHash(x_plaintext);

// create an instance of the DSA algorithm using
// the Create method in the abstract class
DSA x_dsa = DSA.Create(  );
        
// use the CreateSignature method to sign the
// SHA-1 hashcode created from the plaintext
byte[] x_signature = x_dsa.CreateSignature(x_hashcode);

# Visual Basic .NET

' create the plaintext
Dim x_plaintext As Byte(  ) = Encoding.Default.GetBytes("Programming .NET Security")

' create the SHA-1 algorithm instance and create a hash code for the plaintext
Dim x_sha As SHA1 = SHA1.Create(  )
Dim x_hashcode As Byte(  ) = x_sha.ComputeHash(x_plaintext)

' create an instance of the DSA algorithm using
' the Create method in the abstract class
Dim x_dsa As DSA = DSA.Create(  )

' use the CreateSignature method to sign the
' SHA-1 hashcode created from the plaintext
Dim x_signature As Byte(  ) = x_dsa.CreateSignature(x_hashcode)

You must create the SHA-1 hash code yourself when using the CreateSignature method. The method returns the DSA signature, expressed as an array of bytes.

The DSA signature function relies on random numbers to create signatures. This means that any two signatures will be different, even when created for the same data and using the same key pair.

The VerifySignature method is the counterpart to CreateSignature, and accepts a SHA-1 hash code and the signature to verify, both expressed as an array of bytes. The following statements demonstrate how to verify a DSA signature:

# C#

// create the plaintext
byte[] x_plaintext 
    = Encoding.Default.GetBytes("Programming .NET Security");

// define the signature to verify
byte[] x_signature = new Byte[] {0x7D, 0x2B, 0xD7, 0x3D, 0x88, 0xCB, 0x1B, 0x6B,
                                  0x04, 0x62, 0x95, 0xBE, 0x28, 0x59, 0x3E, 0xC5,
                                  0x40, 0xDA, 0x79, 0xFE, 0x3B, 0x25, 0x08, 0x4B,
                                  0x27, 0xF1, 0x31, 0x2A, 0x6F, 0x7C, 0x6E, 0x35, 
                                  0x45, 0x9A, 0x49, 0x4C, 0xA4, 0x5E, 0xE6, 0xA0};

// create the SHA-1 algorithm instance and
// create a hash code for the plaintext
SHA1 x_sha = SHA1.Create(  );
byte[] x_hashcode = x_sha.ComputeHash(x_plaintext);

// create an instance of the DSA algorithm using
// the Create method in the abstract class
DSA x_dsa = DSA.Create(  );

// use the VerifySignature method to verify the DSA signature
bool x_signature_valid = x_dsa.VerifySignature(x_hashcode, x_signature);

# Visual Basic .NET

' create the plaintext
Dim x_plaintext As Byte(  )= Encoding.Default.GetBytes("Programming .NET Security")

' define the signature to verify
Dim x_signature As Byte(  ) = New Byte(  ) {&H7D, &H2B, &HD7, &H3D, &H88, &HCB, _
                                  &H1B, &H6B, &H4, &H62, &H95, &HBE, &H28, _
                                  &H59, &H3E, &HC5, &H40, &HDA, &H79, &HFE, _
                                  &H3B, &H25, &H8, &H4B, &H27, &HF1, &H31, _
                                  &H2A, &H6F, &H7C, &H6E, &H35, &H45, &H9A, _
                                  &H49, &H4C, &HA4, &H5E, &HE6, &HA0}

' create the SHA-1 algorithm instance and
' create a hash code for the plaintext
Dim x_sha As SHA1 = SHA1.Create(  )
Dim x_hashcode As Byte(  ) = x_sha.ComputeHash(x_plaintext)

' create an instance of the DSA algorithm using
' the Create method in the abstract class
Dim x_dsa As DSA = DSA.Create(  )

' use the VerifySignature method to verify the DSA signature
Dim x_signature_valid As Boolean = x_dsa.VerifySignature(x_hashcode, x_signature)

The VerifySignature method returns true if the signature can be verified and false if the signature is not valid.

The abstract RSA class does not provide any methods to support digital signatures with the RSA algorithm.

Programming .NET Security : Programming Digital Signatures (part 3) - Using the Signature Formatter Classes

Programming .NET Security : Programming Digital Signatures (part 2) - Using the Implementation Class

Other

Programming .NET Security : Digital Signatures Explained

Programming .NET Security : Programming Asymmetrical Encryption

Programming .NET Security : Asymmetric Encryption Explained (part 2) - Creating the Encrypted Data

Programming .NET Security : Asymmetric Encryption Explained (part 1) - Creating Asymmetric Keys

Programmatic Security (part 6) - Assembly-Wide Permissions

Programmatic Security (part 5) - Permission Set Attributes

Programmatic Security (part 4) - Permission Set Classes

Programmatic Security (part 3) - Permission Attributes

Programmatic Security (part 2) - Stack-Walk Modifiers

Programmatic Security (part 1) - The Permission Classes