Is it possible to find out the key size of the signer if we only have the signature
Michael StJohns
mstjohns at comcast.net
Thu Jan 12 18:53:39 UTC 2017
On 1/12/2017 1:50 PM, Michael StJohns wrote:
> On 1/12/2017 3:03 AM, Weijun Wang wrote:
>> I am writing a tool to warn about weak key usage in a certificate or
>> CRL. One of the warnings is if it's signed by a cert with a small key
>> size.
>>
>> But the signer's cert is not always available. I can see that the
>> signature's size depends on the signer's key size. Is there a
>> reliable way to calculate this key size? The only existing knowledge
>> is the signature bytes and the signature algorithm.
>>
>> Thanks
>> Max
>
>
> If it's an RSA key then signature length == key length.
>
>
> If it's an EC key then a good approximation is (signature size in
> bytes - 7)/2 * 8. The EC signature is encoded as an ASN1 sequence of
> two INTEGERS. The ASN1 encoding overhead is about 3 bytes for the
> sequence and 2 for each of the integers. If you want an absolute
> floor on the key size, find the body of each of the integers (the
> octets that make up the value field) and normalize them (remove
> leading zeros). Take the maximum of the two lengths. That's the
> floor of the key size. Once in about 65K signatures that floor is
> going to be less than the actual key size.
>
Oh yeah -
Reduce the signature strength to a minimum of the bits provided by the
hash function. So if you've got a SHA256withECDSA but a signature by
P384 key, the strength of the signature is only 256 bits.
Mike
More information about the security-dev
mailing list