OpenSSLrsautl -verify fails to calculate S**e mod n

Thu, 16 Dec 2004 14:29:04 -0800 

I have a valid EMVCo encrypted signature: 128 byte integer  S :

52C19A20E234F69C39A9259FFF365A66059DF60BD64FEFA09C220C88B584DD3141C234818504
C03D01A79DDFD8EB547A37791C41892C881CC8D5FD924FBD795B10D553E2F57689F6E9434DE7
F5B93B4B25408C00D7A7C4C6110B1821B6DDA2B825D52B762DF76A70694EA212F9FD24915609
DAA7DB7F6B50002BBFF0BFF5F59F

(attached in signature.bin, raw format)

I have 128 byte integer, EMVCO public key modulus  n

E3BFA04FB29DE84F614B4F4482BE5586F0DA8366DF492E25FA820B519CA020DB41B1DD360243
A26203B19FE6BAD7BAFCE6D6EABF91D22C94CC9BA591F4E1C45851035F1648504C4DB32954DC
3719791201C80D59C23284F1EF9A916E2CF000B3A97ABE2194E85598BE02E05A8A8D98DAD01A
D1D6F464F4E7543A47B4F1B87F49

and I know that the exponent is 3

I created  sertificate public.der (attached) from this modulus and exponent.

I need to decrypt signature using recovery function as specified in
EMV '96 Integrated Circuit Card Specification for Payment Systems
(www.emvco.com/documents/specification/view/EMVCARD.pdf ) Annex F2.1.1.3 :

 S**e mod n

With great help of Dr. Stephen Henson and other gurus  (BIG THANKS!) in this
mailing
list I tried to use the following command to decrypt the signature:

openssl rsautl -verify -in signature.bin -inkey public.der -pubin
  -keyform DER -out signout.bin -raw

According the Annex E2.1.3 CASE 2 of the book above recovered signature must
have format:

prefix 6A
header data 01 00 ..
modulus top bytes E3 BF ...
Whole message SHA-1 hash  D0 2B ...
suffix BC

The expected result should be:

6A

01000000020000583331313232303530000058010000000000000001018001

E3BFA04FB29DE8
4F614B4F4482BE5586F0DA8366DF492E25FA820B519CA020DB41B1DD360243A26203B19FE6BA
D7BAFCE6D6EABF91D22C94CC9BA591F4E1C45851035F1648504C4DB32954

D02B50A98822EE1073FB156C024E0E5460438357

BC


Unfortunatey, the recovered signout.bin file has different contants,
starting with BF and ending with 9A

BF
31 23 47 46 9C C0 22 76 32 D3 54 C2 80 C8 CF
97 AF 94 C8 08 3A C1 CF 70 6B A0 0A 43 FB 24 D1
3A 03 90 FE A0 E5 38 32 3B 69 DB 33 21 3F 86 79
DB 1F 84 38 74 2A C6 7F D5 BC 8E 7F 19 4A 45 66
48 41 59 E3 19 D6 1F 5A  92 6C 81 97 50 40 B7 2D
BE 9A B7 03 99 F5 CD 89 63 2C BD 4C A7 BB C9 66
F9 DE 7A FE 6A 1C 1A 0B 7F CC 23

F0348AEC4E7C821671BF766BAA7754FBF5AED58B

9A

BF and 9A are somewhat similar to expected 6A and BC

Any idea why the signature decryption fails ?

Andrus

Attachment: signature.bin
Description: Binary data

Attachment: public.der
Description: application/pkix-cert

Reply via email to