Hal Finney wrote:
Ben Laurie writes:
I've been working on signatures recently, and I'm puzzled. As I
understand it, the form of a decrypted signature is:
01 FF FF ... FF FF 00 <ASN.1 nonsense> <hash>
However, every signature I look at decrypts to:
00 01 FF FF ... FF FF 00 <ASN.1 nonsense> <hash>
Before I hurt my head trying to figure out why, I wonder if there's
something obvious I missed?
Actually if you look at PKCS-1 v1.5 you will find that in fact the
MSB is a 0 and the next byte is a 1 for signatures, a 2 for encryption.
Generally the MSB may not be a whole octet, depending on the size of
the modulus, so they put a zero there.
This is true, as I said elsewhere - but the I-D does not refer to the
place where you are told this.
As an incidental cryptographic query - it seems to me that merely not
having the top bit set should be sufficient to ensure that the MSB is
not too large, so it isn't clear to me (given that the first byte is 1)
why an extra byte of padding is deemed necessary. Did I miss something?
Cheers,
Ben.