4

I'm evaluating TurboPower LockBox library for digital signing. I've created a 1024 bit RSA key and tried to sign a 260 bytes of text with it. After changing one or two characters in the text the signature is still valid for it. Is that ok? Or maybe it's a problem with this library. Changing even one character has a crucial effect. Do I need to create a larger key?

UPDATE

To test the library I used the demo application that comes with it. I have generated a 1024 RSA key pair and then tried the digital signing functions. First I've tried with a real 260 bit text file and found out that I can change some characters in it and the signature was still valid. Then I narrowed it a bit to the followinf string:

AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAA 8

And it still works when I'm changing the '8' character. I could probably narrow it even more.

The code that performs the validation is:

Signatory1: TSignatory;
....

var
  DocumentStream, SignatureStream: TStream;
....

DocumentStream  := TFileStream.Create( edtRSADocumentFile.Text, fmOpenread);
try
SignatureStream := TFileStream.Create( edtRSASignatureFile.Text, fmOpenread);
try
 Res := Signatory1.Verify( DocumentStream, SignatureStream)
finally
  SignatureStream.Free
end;
finally
  DocumentStream.Free;
end;
LachlanG
  • 4,047
  • 1
  • 23
  • 35
Max
  • 19,654
  • 13
  • 84
  • 122
  • 2
    Which version of LockBox are you using? The "3.0" is a one-man rewrite, it looks it doesn't use much of the original code and its quality is yet to be assessed. Or are you using 2.07 (The last released by TurboPower)? –  Nov 19 '10 at 22:25
  • I'm using the latest (22-Oct-2010) version 3.1.0.0. – Max Nov 19 '10 at 22:38
  • @ldsandon. I have now tried the old 2003 version and it worked fine. So it seems that there's a bug in the new one. Could you post your answer so I can accept it? – Max Nov 20 '10 at 13:47
  • Thanks for bringing this bug to my attention. The bug has been fixed in LB 3.1.1 . Signature and verification should work correctly now in Lockbox 3.1.1. – Sean B. Durkin Nov 26 '10 at 01:01
  • What is used in LockBox3 for sign and verify? RSA-1024 with SHA-1? – Tracer Jun 20 '19 at 09:54

2 Answers2

1

First, I wouldn't assume anything wrong with the library as it's been used for years. You shouldn't be able to change the inputs and use the same signature to validate it and it work. Keysize wouldn't play a part.

To get real answers, I'd expand your question - what version of Delphi? Can you show some code?

Darian Miller
  • 7,808
  • 3
  • 43
  • 62
  • I'm using Delphi 2010. The code is a demo application which comes with the library. – Max Nov 19 '10 at 19:27
  • "*First, I wouldn't assume anything wrong with the library as it's been used for years*" -- So was OpenSSL. – JensG Mar 22 '16 at 11:48
0

LockBox 3 has a bug in the implementation of digital signature component. LockBox 2.07 can correctly sign and verify signatures, but loading/saving keys doesn't work in Delphi 2010.

Max
  • 19,654
  • 13
  • 84
  • 122
  • Bug now fixed. By the way, Lockbox has a support forum where you can post about any bug you find. Support is active, you any problems should be quickly resolved. – Sean B. Durkin Nov 26 '10 at 01:02
  • Thanks. I've already changed Lockbox 2.07 so it works for me, but I'll try the new Lockbox 3 build. – Max Nov 26 '10 at 11:43