惊！外国人对bj签名算法的研究成果

hackwaly · 发表于 2007-1-17 12:47:42

WEAK DIGITAL SIGNATURE
The weak digital signature is a digital signature using Microsoft CryptoAPI. It is an implimentation of the RSASSA-PKCS1-v1_5
digital signature protocol, using the MD5 hashing algorithm and a 512-bit (weak) RSA key (for more information about this
protocol, see the RSA Labs PKCS1 specification). The public key and exponent are stored in a resource in Storm. The signature
is stored uncompressed, unencrypted in the file "(signature)" in the archive. The archive is hashed from the beginning of the
archive (ArchiveOffset in the containing file) to the end of the archive (the length indicated by ArchiveSize); the signature
file is added to the archive before signing, and the space occupied by the file is considered to be all binary 0s during
signing/verification. This file is structured as follows:

00h: int32 Unknown : Must be 0.
04h: int32 Unknown : must be 0.
08h: int512 Signature : The digital signature. Like all other numbers in the MoPaQ format, this is stored in little-endian order.

STRONG DIGITAL SIGNATURE
The strong digital signature uses a simple proprietary implementation of RSA signing, using the SHA-1 hashing algorithm and
a 2048-bit (strong) RSA key. The default public key and exponent are stored in Storm, but other keys may be used as well.
The strong digital signature is stored immediately after the archive, in the containing file; the entire archive (ArchiveSize
bytes, starting at ArchiveOffset in the containing file) is hashed as a single block. The signature has the following format:

00h: char(4) Magic : Indicates the presence of a digital signature. Must be "NGIS" ("SIGN" backwards).
04h: int2048 Signature : The digital signature, stored in little-endian format.

When the Signature field is decrypted with the public key and exponent, and the result stored in little-endian order, it is structured as follows:

00h: byte Padding : Must be 0Bh.
01h: byte(235) Padding : Must be BBh.
ECh: byte(20) SHA-1 : SHA-1 hash of the archive, in standard SHA-1 format.

我使用软件做了蹩足的翻译

意思说MPQ的数字签名有两个签名，一个是比较弱的数字签名，还有一个强壮的数字签名。
弱数字签名：
使用微软的CryptoAPI，它通过RSASSA-PKCS1-v1_5来实现。
数字签名协议，使用MD5散列算法和一个512位（弱在这里）的RSA密钥（有关此方面的信息参见RSA Labs PKCS1 specification），公钥和它的解释被放在Strom的资源中。数字签名不被压缩地使用 "(signature)"作为文件名放到MPQ包，它对MPQ包的从MPQ包开始位置到结束位置的所有数据进行签名。最后签名文件放到MPQ的header前面。所以它在文件中占据的存储空间会被过滤掉。
签名数据的组织结构：
00h:  int32 Unknown : Must  be 0.
04h:  int32 Unknown : must  be 0.
08h:  int512 Signature :  little-endian逆字节序的存放格式.
强数字签名：
强数字签名使用RSA算法来做简单的加密。它使用SHA-1散列算法和1个2048位（强在这里）的RSA密钥。默认的公钥和它的解释被放在Strom的资源中，但是其他的公钥似乎也能很好的被使用（译者注：说明作者很可能亲自试验过）。
强数字签名被附加到MPQ文件的末尾，使用'NGIS'作为标志。因为是使用逆字节序所以它们原本是'SIGN'，整个MPQ包（从MPQheader开头）使用一个确定的block密钥来散列。
签名数据的组织结构：
00h:  byte Padding : Must be 0Bh.
01h:  byte(235) Padding : Must be BBh.
ECh:  byte(20) SHA-1 : 标准的SHA-1格式.

上面的翻译看不懂很正常因为我也不懂。
但是能够猜测出签名过程：
首先用散列算法（摘要算法）对需要签名的数据进行加密。得到数据摘要。
然后使用RSA签名算法对数据摘要加密成签名数据并附加到MPQ文件中。
整个签名和验证过程都不会使用到RSA密钥，仅需要公钥。

但是我搞不懂被签名的数据的范围（翻译中说的范围可能是错的）。

root / Public RSA Keys

root / Public RSA Keys / Blizzard Weak.pem
View revision:  Revision 73, 182 bytes (checked in by bahamut, 3 months ago)
- Known Blizzard public RSA keys in OpenSSL-compatible PEM format.
- signaturecheck can now be (is now) built using the Xcode project.

Line
1 -----BEGIN PUBLIC KEY-----
2 MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJJidwS/uILMBSO5DLGsBFknIXWWjQJe
3 2kfdfEk3G/j66w4KkhZ1V61Rt4zLaMVCYpDun7FLwRjkMDSepO1q2DcCAwEAAQ==
4 -----END PUBLIC KEY-----

root / Public RSA Keys / Warcraft 3 Map.pem
View revision:  Revision 73, 451 bytes (checked in by bahamut, 3 months ago)
- Known Blizzard public RSA keys in OpenSSL-compatible PEM format.
- signaturecheck can now be (is now) built using the Xcode project.

Line
1 -----BEGIN PUBLIC KEY-----
2 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1BwklUUQ3UvjizOBRoF5
3 yyOVc7KD+oGOQH5i6eUk1yfs0luCC70kNucNrfqhmviywVtahRse1JtXCPrx2bd3
4 iN8Dx91fbkxjYIOGTsjYoHKTp0BbaFkJih776fcHgnFSb+7mJcDuJVvJOXxEH6w0
5 1vo6VtujCqj1arqbyoal+xtAaczF3us5cOEp45sR1zAWTn1+7omN7VWV4QqJPaDS
6 gBSESc0l1grO0i1VUSumayk7yBKIkb+LBvcG6WnYZHCi7VdLmaxER5m8oZfER66b
7 heHoiSQIZf9PAY6Guw2DT5BTc54j/AaLQAKf2qcRSgQLVo5kQaddF3rCpsXoB/74
8 6QIDAQAB
9 -----END PUBLIC KEY-----

root / Public RSA Keys / Blizzard Strong.pem
View revision:  Revision 73, 451 bytes (checked in by bahamut, 3 months ago)
- Known Blizzard public RSA keys in OpenSSL-compatible PEM format.
- signaturecheck can now be (is now) built using the Xcode project.

Line
1 -----BEGIN PUBLIC KEY-----
2 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsQZ+ziT2h8h+J/iMQpgd
3 tH1HaJzOBE3agjU4yMPcrixaPOZoA4t8bwfey7qczfWywocYo3pleytFF+IuD4HD
4 Fl9OXN1SFyupSgMx1EGZlgbFAomnbq9MQJyMqQtMhRAjFgg4TndS7YNb+JMSAEKp
5 kXNqY28n/EVBHD5TsMuVCL579gIenbr61dI92DDEdy790IzIG0VKWLh/KOTcTJfm
6 Ds/7HQTkGouVW+WUsfekuqNQo7ND9DBnhLjLjptxeFE2AZqYcA1ao3S9LN3GL1tW
7 lVXFIX9c7fWqaVTQlZ2oNsI/ARVApOK3grNgqvwH6YoVYVXjNJEo5sQJsPsdV/hk
8 dwIDAQAB
9 -----END PUBLIC KEY-----

如果无法播放，请点击此处在新窗口打开

everguo · 发表于 2007-1-17 12:51:01

提示: 作者被禁止或删除内容自动屏蔽

hackwaly · 发表于 2007-1-17 12:52:40

我也是因为郁闷所以才出来郁闷别人

麦德三世 · 发表于 2007-1-17 12:53:36

2048位的密钥？~~

hackwaly · 发表于 2007-1-17 12:56:03

the key,not private key。因为key也只能翻译成密钥没办法拉

<font c · 发表于 2007-1-17 14:46:43

好吧...MD5和Sha-1还有些信心，RSA基本就米办法料...
虽然偶知道RSA滴原理，但搞不到密钥的话现有的计算机基本米办法破解...

hackwaly · 发表于 2007-1-17 14:54:36

魔兽这种签名应该不会用到密钥吧：验证可以使用公钥能验证，加密也能使用公钥加密。
有公钥就行，原文作者因该已经自己试验成功过。
RSA想破解也不难，不就是分解两个大素数的积嘛。

白银の式神 · 发表于 2007-1-17 15:05:49

把一个大数分解成2个素数不素想象中那么简单...
另外...RSA加密算法中必然会用到密钥，我们能做的，仅仅是利用公钥来证明那个数字签名素不素Blizzard的
想自己做出数字签名，办法只有搞到密钥，或者将大数分解
而搞密钥基本不现实，因为那素Blizzard私藏的
如果大数分解可行...怎么就不见微软的数字签名被破解呢...

hackwaly · 发表于 2007-1-17 15:47:06

把我也弄郁闷了
RSA密钥在bj签名中是用来还原那个数据呢？不会是那个block key吧，那个数据已经被作者指出素single的。

大数分解关键在于枚举素数。而素数在整数集中是越来越稀的（但基本上n为素数(n,2n)区间必有一个素数）。
RSA产生的两个随机素数的长度也有范围限制（不能太小）。只要枚举这个范围内的所有素数（还没计算过数量级）做成表就行了。只要有表，破解速度将是非常快的。
所以素数表的产生是关键。目前对一个数是否是素数的判断最快的方法是什么（我忘了，但绝对不是试除法）。如果所有尝试破解RSA的计算机分工合作制作一个RSA素数表，ps可以搞个wiki素数百科，累积历史的力量
应该要比每次破解都找素数快一点。

其实RSA加密和破解的区别在于，一个是在范围内找随机的素数，另一个找范围内所有素数。

直到有一天，加长密钥的长度已经不可能了（计算机太弱了）

白银の式神 · 发表于 2007-1-17 15:59:21

在解密中不需要密钥，密钥仅用于加密

hackwaly · 发表于 2007-1-17 16:06:09

引用第9楼白银の式神于2007-01-17 15:59发表的:
在解密中不需要密钥，密钥仅用于加密

难道我记错了？
私钥：解密和加密
公钥：加密

使用RSA：如A要把数据传送给B
A向B提出传送请求
B收到请求然后把自己的公钥传送给A
A用公钥和RSA算法把要传送的数据加密传送给B
B用自己的私钥解密被加密的数据得到A想传送给B的数据

在数据传送过程中，第三方不管是得到公钥还是根据公钥和RSA加密的数据都是不可能推算出A想传送的数据的。除非A或B泄露数据或B的私钥泄露。

根据私钥和公钥的特性，所以此类（使用公钥和私钥的）算法又叫非对称加密算法。

白银の式神 · 发表于 2007-1-17 16:29:41

LS这种方法原理相同，但模型不同
想一下就知道这种模型不可能用于数字签名料...

hackwaly · 发表于 2007-1-17 16:30:03

2.9 WEAK DIGITAL SIGNATURE
The weak digital signature is a digital signature using Microsoft CryptoAPI. It is an implimentation of the RSASSA-PKCS1-v1_5 digital signature protocol, using the MD5 hashing algorithm and a 512-bit (weak) RSA key (for more information about this protocol, see the RSA Labs PKCS1 specification). The public key and exponent are stored in a resource in Storm, the private key is stored in a separate file, whose filename is passed to MPQAPI (the private key is not stored in MPQAPI). The signature is stored uncompressed, unencrypted in the file "(signature)" (default language and platform) in the archive. The archive is hashed from the beginning of the archive (ArchiveOffset in the containing file) to the end of the archive (the length indicated by ArchiveSize, or calculated in the Burning Crusade MoPaQ format); the signature file is added to the archive before signing, and the space occupied by the file is considered to be all binary 0s during signing/verification. This file is structured as follows:

00h: int32 Unknown : Must be 0.
04h: int32 Unknown : Must be 0.
08h: int512 Signature : The digital signature. Like all other numbers in the MoPaQ format, this is stored in little-endian order. The structure of this, when decrypted, follows the RSASSA-PKCS1-v1_5 specification; this format is rather icky to work with (I wrote a program to verify this signature using nothing but an MD5 function and huge integer functions; it wasn't pleasant), and best left to an encryption library such as Cryto++.

2.10 STRONG DIGITAL SIGNATURE
The strong digital signature uses a simple proprietary implementation of RSA signing, using the SHA-1 hashing algorithm and a 2048-bit (strong) RSA key. The default public key and exponent are stored in Storm, but other keys may be used as well. The strong digital signature is stored immediately after the archive, in the containing file; the entire archive (ArchiveSize bytes, starting at ArchiveOffset in the containing file) is hashed as a single block. The signature has the following format:

00h: char(4) Magic : Indicates the presence of a digital signature. Must be "NGIS" ("SIGN" backwards).
04h: int2048 Signature : The digital signature, stored in little-endian format.

When the Signature field is decrypted with the public key and exponent, and the resulting large integer is stored in little-endian order, it is structured as follows:

00h: byte Padding : Must be 0Bh.
01h: byte(235) Padding : Must be BBh.
ECh: byte(20) SHA-1 : SHA-1 hash of the archive, in standard SHA-1 byte order.

xlandhenry · 发表于 2007-1-17 22:49:50

两位大仙又在郁闷人了……

hackwaly · 发表于 2007-1-18 10:55:56

LS搞清楚dian，另一位大仙不是偶，而是910先生

DumpLinG饺子 · 发表于 2007-1-28 18:48:24

晕乎乎~~
如果只知道公钥能干些什么...
能不能使地图出现BLZ的logo呢？　

白银の式神 · 发表于 2007-1-28 19:06:25

知道公钥仅能对数据进行解密

DumpLinG饺子 · 发表于 2007-1-28 19:13:45

估计要多久才能跑出私匙呢？

DumpLinG饺子 · 发表于 2007-1-28 19:15:46

公钥(e,n)应该是用于加密的吧？

白银の式神 · 发表于 2007-1-28 19:33:51

这种情况在对称加密中应该属于blizzard向你发送消息，所以公钥用于解密
(如果素你向blizzard发消息，那么公钥用于加密)

		自动登录	找回密码
密码			点一下

everguo everguo 当前离线积分 339 窥视卡雷达卡	发表于 2007-1-17 12:51:01 \| 显示全部楼层提示: 作者被禁止或删除内容自动屏蔽
everguo everguo 当前离线积分 339 窥视卡雷达卡
	回复使用道具举报 ???í?¨

惊！外国人对bj签名算法的研究成果

看错看错密钥!=私钥

原来还有一新版本的文章

惊！外国人对bj签名算法的研究成果

看错看错 密钥!=私钥

原来还有一新版本的文章

看错看错密钥!=私钥