Platform SDK: Cryptography

Digital Signature Mechanics

An application signs or verifies hash values by using the CryptSignHash and CryptVerifySignature functions. The application often specifies a description string, which must be added to the hash object before it is signed or verified.

The following is a typical signature process:

  1. The application creates a hash object by using CryptCreateHash.
  2. The application adds data to the hash object by using CryptHashData, CryptHashSessionKey, or both.
  3. The application calls the CryptSignHash function to sign the hash value, specifying a description string.
  4. The operating system layer accepts the CryptSignHash invocation. If the descriptive string is not already in Unicode, the system converts it to Unicode and hands off the task to the CSP using the CPSignHash function.
  5. The CSP adds the Unicode description string to the hash object, using the CPHashData function. The terminating NULL character is not hashed in.
  6. The CSP completes the hash and obtains the hash value to be signed by using the CPGetHashParam function.
  7. The CSP takes the hash value, pads it out to the size of the public key modulus, and encrypts it by using the signature private key.

    The padding around the hash value must be in the format specified by the Public-Key Cryptography Standards (PKCS), available from RSA Data Security. The hash algorithm used must be encoded as described in PKCS #1, Section 6.3.

  8. The signature block is returned to the application, using the operating system layer.