Digital Signature Algorithm (DSA and ECDSA)¶
DSA and ECDSA are U.S. federal standards for digital signatures, specified in FIPS PUB 186-4.
Their security relies on the discrete logarithm problem in a prime finite field (the original DSA, now deprecated) or in an elliptic curve field (ECDSA, faster and with smaller keys, to be used in new applications).
A sender can use a private key (loaded from a file) to sign a message:
>>> from Crypto.Hash import SHA256
>>> from Crypto.PublicKey import ECC
>>> from Crypto.Signature import DSS
>>>
>>> message = b'I give my permission to order #4355'
>>> key = ECC.import_key(open('privkey.der').read())
>>> h = SHA256.new(message)
>>> signer = DSS.new(key, 'fips-186-3')
>>> signature = signer.sign(h)
The receiver can use the matching public key to verify authenticity of the received message:
>>> from Crypto.Hash import SHA256
>>> from Crypto.PublicKey import ECC
>>> from Crypto.Signature import DSS
>>>
>>> key = ECC.import_key(open('pubkey.der').read())
>>> h = SHA256.new(received_message)
>>> verifier = DSS.new(key, 'fips-186-3')
>>> try:
>>> verifier.verify(h, signature)
>>> print("The message is authentic.")
>>> except ValueError:
>>> print("The message is not authentic.")
- class Crypto.Signature.DSS.DssSigScheme(key, encoding, order)¶
A (EC)DSA signature object. Do not instantiate directly. Use
Crypto.Signature.DSS.new()
.- can_sign()¶
Return
True
if this signature object can be used for signing messages.
- sign(msg_hash)¶
Compute the DSA/ECDSA signature of a message.
- Parameters:
msg_hash (hash object) – The hash that was carried out over the message. The object belongs to the
Crypto.Hash
package. Under mode'fips-186-3'
, the hash must be a FIPS approved secure hash (SHA-2 or SHA-3).- Returns:
The signature as
bytes
- Raises:
ValueError – if the hash algorithm is incompatible to the (EC)DSA key
TypeError – if the (EC)DSA key has no private half
- verify(msg_hash, signature)¶
Check if a certain (EC)DSA signature is authentic.
- Parameters:
msg_hash (hash object) – The hash that was carried out over the message. This is an object belonging to the
Crypto.Hash
module. Under mode'fips-186-3'
, the hash must be a FIPS approved secure hash (SHA-2 or SHA-3).signature (
bytes
) – The signature that needs to be validated.
- Raises:
ValueError – if the signature is not authentic
- Crypto.Signature.DSS.new(key, mode, encoding='binary', randfunc=None)¶
Create a signature object
DssSigScheme
that can perform (EC)DSA signature or verification.Note
Refer to NIST SP 800 Part 1 Rev 4 (or newer release) for an overview of the recommended key lengths.
- Parameters:
key (
Crypto.PublicKey.DSA
orCrypto.PublicKey.ECC
) –The key to use for computing the signature (private keys only) or for verifying one. For DSA keys, let
L
andN
be the bit lengths of the modulusp
and ofq
: the pair(L,N)
must appear in the following list, in compliance to section 4.2 of FIPS 186-4:(1024, 160) legacy only; do not create new signatures with this
(2048, 224) deprecated; do not create new signatures with this
(2048, 256)
(3072, 256)
For ECC, only keys over P-224, P-256, P-384, and P-521 are accepted.
mode (string) –
The parameter can take these values:
'fips-186-3'
. The signature generation is randomized and carried out according to FIPS 186-3: the noncek
is taken from the RNG.'deterministic-rfc6979'
. The signature generation is not randomized. See RFC6979.
encoding (string) –
How the signature is encoded. This value determines the output of
sign()
and the input toverify()
.The following values are accepted:
'binary'
(default), the signature is the raw concatenation ofr
ands
. It is defined in the IEEE P.1363 standard. For DSA, the size in bytes of the signature isN/4
bytes (e.g. 64 forN=256
). For ECDSA, the signature is always twice the length of a point coordinate (e.g. 64 bytes for P-256).'der'
, the signature is a ASN.1 DER SEQUENCE with two INTEGERs (r
ands
). It is defined in RFC3279. The size of the signature is variable.
randfunc (callable) – A function that returns random
bytes
, of a given length. If omitted, the internal RNG is used. Only applicable for the ‘fips-186-3’ mode.