cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
James_Waithe
Newcomer I

Did the digital signature process change? Conflicting information on SSCP CBK editions.

Hi All

 

Did the digital signature creation process officially change? 

In the older versions, and in my logical way of thinking, it says that the message digest is "encrypted" with my private key.  In the new fifth edition, it says the message digest is "decrypted" to CREATE the signature.  

 

Is this an error or an official change in procedures?

The Official (ISC)2 SSCP CBK Reference, Fifth Edition  By: Mike Wills

  1. Carol produces a strong hash of the message content. This is known as the secure message digest.
  2. Carol “decrypts” that hash value, using the trapdoor function and her private key. This new value is her digital signature.
  3. Carol sends the message and her digital signature to Bob.
  4. Bob “encrypts” Carol’s digital signature, using the same trapdoor algorithm and Carol’s public signature, to produce the signed hash value.
  5. Bob uses the same hash function to produce a comparison hash of the message he received (not including the signature). If this matches the value he computed in step 4, he has proven that Carol (who is the only one who knows her private key) is the only one who could have sent that message.

 

The Official (ISC)2® Guide to the SSCP® CBK  Fourth Edition  2016

Digital signatures provide authentication of a sender and integrity of a sender’s

message. A message is input into a hash function. Then the hash value is

encrypted using the private key of the sender. The result of these two steps yields

a digital signature. The receiver can verify the digital signature by decrypting the

hash value using the signer’s public key, then perform the same hash computation

over the message, and then compare the hash values for an exact match. If the

hash values are the same, then the signature is valid.

 

Even on CISSP CBK Reference Fifth Edition 2019

: "This hash value is then encrypted using the message author's private key to produce a digital signature. The digital signature is transmitted as an appendix to the message."

 

So what is going on?? 

I have tried to find an update on FIPs.186-4, but cannot see any place where it standardises these steps.

7 Replies
Budoka
Contributor II

Curious to see the response to this. I suspect it is a mistake but anything but low altitude on cryptography is out of my area of expertise. LOL
dcontesti
Community Champion

I have to admit that Crypto was not and is not my first love.

 

Trapdoors are widely used in Crypto.  The trapdoor function is easy to compute in one direction, but very difficult in the opposite direction without special information. 

 

I don't have current copies of with the Official Guides to the SSCP or but CISSP  but I would hope that there was some additional information associated with that passage allowing the reader to fully understand Trapdoors in Crypto.  I believe that FIPS refers to these processes as generation and verification

 

@AndreaMoore This one needs to go to the folks Education,  Seems the two publications offer slightly different language.

 

my nickel on an early Saturday morning.

 

d

 

CraginS
Defender I

 


@James_Waithe wrote:

Hi All

 

Did the digital signature creation process officially change? 

In the older versions, and in my logical way of thinking, it says that the message digest is "encrypted" with my private key.  In the new fifth edition, it says the message digest is "decrypted" to CREATE the signature.  

 

...

So what is going on?? 

 


It is quite obvious that the editors of the 5th edition messed up and swapped the words decrypt and encrypt. The 4th edition for SSCP and the CISSP reference have it right.

No need to ponder deeply; just mark your book to correct the two errors.

As for @amandavanceISC2 getting involved, yes Please. There should be an errata list available on the (ISC)2 site which includes this correction.

(While I am not a crypto expert at the math level, working deeply in PKI from 1998-2002 was core to my transformation from IT to infosec. )

 

Craig

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
James_Waithe
Newcomer I

Thank you @CraginS and I hope @amandavanceISC2 can point this discussion to the responsible parties. 

 

My concern is that this "new" concept is in two different places; Its also proposed in this study guide: 

 

(ISC)2 SSCP Systems Security Certified Practitioner Official Study Guide, Second Edition

By: Mike Wills

 

Question 17 of the self assessment.  I chose A, the book proposes C.

 

17. Which statement best describes how digital signatures work?

    1. The sender hashes the message or file to produce a message digest and applies the chosen encryption algorithm and their private key to it. This is the signature. The recipient uses the sender's public key and applies the corresponding decryption algorithm to the signature, which will produce a matching message digest only if the message or file is authentically from the sender.
    2. The sender hashes the message or file to produce a message digest and applies the chosen decryption algorithm and their public key to it. This is the signature. The recipient uses the sender's private key and applies the corresponding encryption algorithm to the signature, which will produce a matching message digest only if the message or file is authentically from the sender.
    3. The sender hashes the message or file to produce a message digest and applies the chosen decryption algorithm and their private key to it. This is the signature. The recipient uses the sender's public key and applies the corresponding encryption algorithm to the signature, which will produce a matching message digest only if the message or file is authentically from the sender.
    4. The sender encrypts the message or file with their private key and hashes the encrypted file to produce the signed message digest. This is the signature. The recipient uses the sender's public key and applies the corresponding decryption algorithm to the signature, which will produce a matching message digest only if the message or file is authentically from the sender.

Answer:

C: The incorrect answers show misapplication of the steps of the process. Option A has reversed who encrypts and who decrypts. Option B confuses the use of the sender's public and private key, and if the recipient knows the sender's private key it must no longer be private. Option D won't work, because decrypting the unencrypted hash won't produce anything that is useful.

AndreaMoore
Community Manager

Thanks for tagging me. I have passed this along and will follow up with you all soon. 




ISC2 Community Manager
James_Waithe
Newcomer I

Thank you
wills004
Viewer II

@CraginS 

 

James, Craig, and everyone else,

 

Egg on face. This was in fact a mistake I made in the 2nd edition Study Guide, which got propagated over into the 5th Edition CBK. I thank you, James, for bringing this to the community (which did bring it to me), so that we can get this error fixed before it propagates further.

 

It clearly should say in step 2 that Carol encrypts only the hash of the message to produce the signature; then Bob in step 4 decrypts it.

 

Sorry for the confusion,

 

Mike