1

I was reading this article, there are two byte array, one for signed data and one for the original data.

 byte[] originalData = ByteConverter.GetBytes(dataString);
 byte[] signedData;

We sign the data, this part is ok but I can not understand to verification why should we use original data?

// Hash and sign the data.
   signedData = HashAndSignBytes(originalData, Key);

// Verify the data and display the result to the
// console.
   VerifySignedHash(originalData, signedData, Key);

As an example we sign a data in the server and send it to the client, Clients want to find I sent that data or not, why should I send original data until the client can verifying it?

There is some post who did it in the same way:

motevalizadeh
  • 5,244
  • 14
  • 61
  • 108
  • 1
    The signature doesn't include the original data. It's based on only the hash of the data. To verify you need to re-compute the hash. – Jeremy Lakeman Aug 26 '20 at 07:06
  • Think about it like actual signatures. You wouldn't expect someone to just pass you a piece of paper with a signature on it, you to verify it, and then them hand you a document that they purport relates to that signature. – Damien_The_Unbeliever Aug 26 '20 at 07:07
  • @JeremyLakeman,Oh you mean we used the original data to get the signature, ha? Am I right? – motevalizadeh Aug 26 '20 at 11:41
  • 1
    @motevalizadeh They used `smallArray` by copying 7 bytes starting at the 5th index of `originalData`, this data is the actual "original data" that has been both signed in `HashAndSignBytes` and later on verified in `VerifySignedHash`. – Aviv Yaniv Aug 26 '20 at 11:41

2 Answers2

1

When passing the signedData the other part doesn't know what the originalData is, just by that.
To verify, you need both the signedData and the [ originalData and public-key ].

The VerifySignedHash function in the code mentioned above, calls to RSACryptoServiceProvider.VerifyData.


From the docs:

Verifies that a digital signature is valid by determining the hash value in the signature using the provided public key and comparing it to the hash value of the provided data.

Aviv Yaniv
  • 6,188
  • 3
  • 7
  • 22
1

A cryptographic hash function hash(x) has certain desirable properties:

  1. One-way: hash(x) gives you y. Given x, it is easy to compute y. But the reverse, given y, finding x may be very difficult or impossible.
  2. Collisions: Since the size (in bits) of the input is much larger than the hash size (eg: we can compute SHA-256 of Gigabytes of data), multiple inputs can theoretically produce the same hash. Although this is theoretically the case, hash algorithms are designed to keep collisions to a minimum in practical settings.
  3. Unpredictability: A small change in the input causes completely different hashes to be generated. This helps in detecting data tampering (eg: changing a payment from $100.00 to $10000)

These are some of the properties that make hashes suitable for cryptographic signatures and verification of those signatures.

why should we use original data for verification (paraphrased)

Sending the original data allows the recipient to recompute the hash independently and compare the hash signature value sent by the sender to ensure that the data received is the same as what the sender sent.

vvg
  • 1,010
  • 7
  • 25