Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
James_Waithe
Newcomer I
‎06-05-2021 12:44 PM
‎06-05-2021 12:44 PM

Did the digital signature process change? Conflicting information on SSCP CBK editions.

Hi All

 

Did the digital signature creation process officially change? 

In the older versions, and in my logical way of thinking, it says that the message digest is "encrypted" with my private key.  In the new fifth edition, it says the message digest is "decrypted" to CREATE the signature.  

 

Is this an error or an official change in procedures?

The Official (ISC)2 SSCP CBK Reference, Fifth Edition  By: Mike Wills

  1. Carol produces a strong hash of the message content. This is known as the secure message digest.
  2. Carol “decrypts” that hash value, using the trapdoor function and her private key. This new value is her digital signature.
  3. Carol sends the message and her digital signature to Bob.
  4. Bob “encrypts” Carol’s digital signature, using the same trapdoor algorithm and Carol’s public signature, to produce the signed hash value.
  5. Bob uses the same hash function to produce a comparison hash of the message he received (not including the signature). If this matches the value he computed in step 4, he has proven that Carol (who is the only one who knows her private key) is the only one who could have sent that message.

 

The Official (ISC)2® Guide to the SSCP® CBK  Fourth Edition  2016

Digital signatures provide authentication of a sender and integrity of a sender’s

message. A message is input into a hash function. Then the hash value is

encrypted using the private key of the sender. The result of these two steps yields

a digital signature. The receiver can verify the digital signature by decrypting the

hash value using the signer’s public key, then perform the same hash computation

over the message, and then compare the hash values for an exact match. If the

hash values are the same, then the signature is valid.

 

Even on CISSP CBK Reference Fifth Edition 2019

: "This hash value is then encrypted using the message author's private key to produce a digital signature. The digital signature is transmitted as an appendix to the message."

 

So what is going on?? 

I have tried to find an update on FIPs.186-4, but cannot see any place where it standardises these steps.

Labels
Reply
7 Replies
Budoka
Contributor II
‎06-05-2021 02:57 PM
‎06-05-2021 02:57 PM

Curious to see the response to this. I suspect it is a mistake but anything but low altitude on cryptography is out of my area of expertise. LOL
Reply
0 Kudos
dcontesti
Community Champion
‎06-06-2021 07:54 AM
‎06-06-2021 07:54 AM

I have to admit that Crypto was not and is not my first love.

 

Trapdoors are widely used in Crypto.  The trapdoor function is easy to compute in one direction, but very difficult in the opposite direction without special information. 

 

I don't have current copies of with the Official Guides to the SSCP or but CISSP  but I would hope that there was some additional information associated with that passage allowing the reader to fully understand Trapdoors in Crypto.  I believe that FIPS refers to these processes as generation and verification

 

@AndreaMoore This one needs to go to the folks Education,  Seems the two publications offer slightly different language.

 

my nickel on an early Saturday morning.

 

d

 

Reply
CraginS
Defender I
‎06-06-2021 08:27 AM
‎06-06-2021 08:27 AM

 

@James_Waithe wrote:

Hi All

 

Did the digital signature creation process officially change? 

In the older versions, and in my logical way of thinking, it says that the message digest is "encrypted" with my private key.  In the new fifth edition, it says the message digest is "decrypted" to CREATE the signature.  

 

...

So what is going on?? 

 

It is quite obvious that the editors of the 5th edition messed up and swapped the words decrypt and encrypt. The 4th edition for SSCP and the CISSP reference have it right.

No need to ponder deeply; just mark your book to correct the two errors.

As for @amandavanceISC2 getting involved, yes Please. There should be an errata list available on the (ISC)2 site which includes this correction.

(While I am not a crypto expert at the math level, working deeply in PKI from 1998-2002 was core to my transformation from IT to infosec. )

 

Craig

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
Reply
James_Waithe
Newcomer I
‎06-06-2021 11:43 AM
‎06-06-2021 11:43 AM

Thank you @CraginS and I hope @amandavanceISC2 can point this discussion to the responsible parties. 

 

My concern is that this "new" concept is in two different places; Its also proposed in this study guide: 

 

(ISC)2 SSCP Systems Security Certified Practitioner Official Study Guide, Second Edition

By: Mike Wills

 

Question 17 of the self assessment.  I chose A, the book proposes C.

 

17. Which statement best describes how digital signatures work?

    1. The sender hashes the message or file to produce a message digest and applies the chosen encryption algorithm and their private key to it. This is the signature. The recipient uses the sender's public key and applies the corresponding decryption algorithm to the signature, which will produce a matching message digest only if the message or file is authentically from the sender.
    2. The sender hashes the message or file to produce a message digest and applies the chosen decryption algorithm and their public key to it. This is the signature. The recipient uses the sender's private key and applies the corresponding encryption algorithm to the signature, which will produce a matching message digest only if the message or file is authentically from the sender.
    3. The sender hashes the message or file to produce a message digest and applies the chosen decryption algorithm and their private key to it. This is the signature. The recipient uses the sender's public key and applies the corresponding encryption algorithm to the signature, which will produce a matching message digest only if the message or file is authentically from the sender.
    4. The sender encrypts the message or file with their private key and hashes the encrypted file to produce the signed message digest. This is the signature. The recipient uses the sender's public key and applies the corresponding decryption algorithm to the signature, which will produce a matching message digest only if the message or file is authentically from the sender.

Answer:

C: The incorrect answers show misapplication of the steps of the process. Option A has reversed who encrypts and who decrypts. Option B confuses the use of the sender's public and private key, and if the recipient knows the sender's private key it must no longer be private. Option D won't work, because decrypting the unencrypted hash won't produce anything that is useful.

Reply
AndreaMoore
Community Manager
Community Manager
‎06-07-2021 04:39 PM
‎06-07-2021 04:39 PM

Thanks for tagging me. I have passed this along and will follow up with you all soon. 




ISC2 Community Manager
Reply
James_Waithe
Newcomer I
‎06-07-2021 04:57 PM
‎06-07-2021 04:57 PM

Thank you
Reply
0 Kudos
wills004
Viewer II
‎07-20-2021 04:07 AM
‎07-20-2021 04:07 AM

@CraginS 

 

James, Craig, and everyone else,

 

Egg on face. This was in fact a mistake I made in the 2nd edition Study Guide, which got propagated over into the 5th Edition CBK. I thank you, James, for bringing this to the community (which did bring it to me), so that we can get this error fixed before it propagates further.

 

It clearly should say in step 2 that Carol encrypts only the hash of the message to produce the signature; then Bob in step 4 decrypts it.

 

Sorry for the confusion,

 

Mike

 

Reply
0 Kudos