问题
My ques is -- Is it possible to digitally sign a hash value of a file directly instead of file.
I have to digitally sign a xml file in web environment through e-token. So I have to download the file from server to client and then get certificate from e-token usb at client machine and sign the file and upload it on server.
But the problem is, if size of the file is too huge, then it will take too much time to download at client side (depend upon internet speed) and some leakage in the security of the file too.
So instead of sending file to client machine, send only file hash value (internally hash value of files are signed not files as general flow of digitally signature process).
Or is there any other alternatives solution ?
回答1:
@Eugene brings up some valid points about the details of securely passing the hash.
Since you have an eToken, you could use it to establish a 2-way SSL session between the client and server. This session could be used to transfer the hash to the client, and the resulting signature back to the server.
For signing a hash on the client side in Java, you could use a Signature algorithm like NONEwithRSA instead of one like SHA256withRSA.
"NONE" specifies that the raw data (in this case the hash) will be signed and not hashed again by the algorithm.
回答2:
Well, it is of course possible to pass the hash to the client and sign it there, but the devil is in details -- in case of such distributed signing you need to design a really secure way to pass the hash and the signature and to sign it securely on the client side. Also you need to have the code on the server that will let you calculate the hash, pass it to the client and then embed the signature to the signing format of your choice.
Our company has developed a Distributed Cryptography add-on to our SecureBlackbox product that addresses all of the above problems. For details you are welcome to check this answer on StackOverflow.
来源:https://stackoverflow.com/questions/18712537/digitally-sign-a-hash-value-of-a-file-directly-instead-of-file