XML SignatureMethod and DigestMethod

0
votes

Following a code example:

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig-more#rsa-sha256" />
  <ds:Reference URI="">
    <ds:Transforms>
      <ds:Transform Algorithm="http://www.w3.org/2001/09/xmldsig#enveloped-signature" />
      <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
    <ds:DigestValue>...</ds:DigestValue>
  </ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
  <ds:KeyName>...</ds:KeyName>
</ds:KeyInfo>

There is a SignatureMethod Algorithm (http://www.w3.org/2000/09/xmldsig#rsa-sha256) and a DigestMethod Algorithm (http://www.w3.org/2000/09/xmldsig-more#rsa-sha256).

As far as I am correctly informed, SignatureMethod Algorithm means that the content of the XML is first hashed (by SHA256) and then signed by RSA.

Now I read an article about increasing security Level by changing to SHA512.

What would be the most effect on my code? Would it be more slow? And what are the main arguments for SHA512 to definitely change. Thank you.

1
digital-signaturesha256xml-signaturesha512

1 Answers

0
votes

SHA-256 is already providing you with 128 bits of security when it comes to collision resistance. So there isn't all that much need to upgrade; cracking 128 bits of security is not thought possible. The SHA-3 competition has shown us that - besides length extension attacks - SHA-2 is still pretty secure. SHA-512 upgrades your security to 256 bits, so if that's your target then it makes sense to use it.

Quantum computers could in the end half that 128 bit security to 64 bits of security using Grovers algorithm. That's currently however not feasible at all, and as such a quantum computer could very likely also attack RSA, so upgrading for that reason doesn't seem all that useful.

SHA-512 is often faster on modern computers than SHA-256. That sounds strange, but SHA-512 uses 64 bit operations internally while SHA-256 uses 32 bit. As CPUs are more geared towards 64 bit operation on the desktop you could speed up the processing time and be more secure. Expect a performance hit when switching to 32 bit processing or - worse - 8 or 16 bit embedded CPU's though.

There is also SHA-2 512/256 which is the same as SHA-512 but for the output size (and a few constants). It is however not as prevalent as SHA-256 which doesn't make it a good option in most situations.

The signed data is usually much larger than the SignedInfo, processed by the signature generation algorithm. So changing the DigestMethod makes most sense.

Finally, not that you need about a 16KiB RSA key to be able to hit 256 bits of security. So if you want to upgrade everything to 256 bit security levels you may want to switch to ECDSA with a 512 or 521 bit named curve.