Cryptographic Signatures with Message Recovery

Besides the common use of signatures, it is also possible to hide and recover information in cryptographic signatures.

One may argue that encryption, either symmetric or asymmetric, could be used to hide the information.

But in some scenarios:

  • Symmettic encryption would result in the problem of key distribution.
  • Another misleading way would be to encrypt
    the credentials with the public key of the server and to distribute the servers private key to the
    users. But that would be fatal, since the public key can be calculated from the private key and
    an attacker could pretend to be a server.

In some scenarios the way to use the private key to hide and the public key to reveal the information may come in handy.

Of course, the receiver of the encrypted message would require authentic public keys.

To prevent existential imitating.

The defintion of the scheme to use can be found in the ISO 9796-2 standard. But let’s not dive too deep in detail and go down the practical road.

Digital Signatures provide a way to ensure authenticity for information by making use of a public key infrastructure. A signature is generated by the signer of a message and is independent of the receiver. Therefore, the signature depends only on the message and the secret of the signer.
The goal is that the signature can not be assigned to any other (meaningful) message. Digital signatures can be used to prevent existential imitating with the use of a collision resistant cryptographic hash function. As a result, a third party can not feign oneself to a client as a server. In the sWiPs environment the server acts as the signer and provides the signature of the paSSID that is displayed visually. Authenticity can be guaranteed
by embedding the signature in the QR code. Within digital signatures, the client correlates to the verifier. A client who is in possession of the authentic public key of the server is permitted to establish a connection. Unfortunately, the same applies for an eavesdropper who is in possession
of the public key and can obtain the paSSID to authenticate illegitimately. The distribution of the keys is not subject to any control. Any client may pass the servers public key. The assumption that the public key of the server is kept private would also result in confidentiality. Nevertheless, already the name “public key” shows that it should not be private and the idea of keeping it private should be handled with care.

The ISO-9796-2 Scheme 2 [ISO] is a standard designed for digital signatures with message recovery. It uses the RSA algorithm for signing and verification. The messages are hashed using the SHA-1 algorithm and padded according to the ISO-9796-2 Scheme 2 standard. Further
details can be found in Section 5.2.8.

Signing BASE64 encoded plaintexts, writing the to files or stdout and verify the signature to get the original plaintext with message recovery

Wrapper for the ISO9796-2 bouncycastle ( sign and verify functions for Message Recovery from signatures

  • ISO StandardISO_IEC_9796-2
  • Algorithm: RSA
  • Hash: SHA-1
  • Padding: ISO-9796-2 Scheme 2

Example usage:

verify signature from file:

java -jar ISO9796SignerVerifier.jar -f verify -i signature.out -k publicKey.der -file

sign message to stdout

java -jar ISO9796SignerVerifier.jar -f sign -i "this is the message" -k privateKey.der


Key generations Generate a 2048-bit RSA private key

openssl genrsa -out privateKey.pem 2048

Convert privateKey to PKCS#8 format

openssl pkcs8 -topk8 -inform PEM -outform DER -in privateKey.pem -out privateKey.der -nocrypt

Output public key in DER format

openssl rsa -in private_key.pem -pubout -outform DER -out public_key.der


If you used the verification function you may have to decode the string that holds the signature:



Machine learning is just fancy bruteforcing -- change my mind

Leave a Reply

Notify of