RSA Signature Suite 2018

Terminology

The following terms are used to describe concepts involved in the generation and verification of the Linked Data Signature 2018 signature suite.

signature suite: A specified set of cryptographic primitives typically consisting of a canonicalization algorithm, a message digest algorithm, and a signature algorithm that are bundled together by cryptographers for developers for the purposes of safety and convenience.
canonicalization algorithm: An algorithm that takes an input document that has more than one possible representation and always transforms it into a canonical form. This process is sometimes also called CANONICALIZATION.
message digest algorithm: An algorithm that takes an input message and produces a cryptographic output message that is often many orders of magnitude smaller than the input message. These algorithms are often 1) very fast, 2) non-reversible, 3) cause the output to change significantly when even one bit of the input message changes, and 4) make it infeasible to find two different inputs for the same output.
signature algorithm: An algorithm that takes an input message and produces an output value where the receiver of the message can mathematically verify that the message has not been modified in transit and came from someone possessing a particular secret.

The 2018 RSA Signature Suite

The 2018 RSA signature suite MUST be used in conjunction with the signing and verification algorithms in the Linked Data Signatures [[LD-SIGNATURES]] specification. The suite consists of the following algorithms:

Parameter	Value	Specification
canonicalizationAlgorithm	https://w3id.org/security#GCA2015	[[RDF-DATASET-CANONICALIZATION]]
digestAlgorithm	https://www.ietf.org/assignments/jwa-parameters#SHA256	[[RFC6234]]
signatureAlgorithm	https://www.ietf.org/assignments/jwa-parameters#RS256	[[RFC7515]]

Modification to Algorithms

This signature suite uses a constrained profile of JSON Web Signatures which is specified in [[RFC7797]]. The signature algorithm used is the JSON Web Signature implementation of the RSASSA-PKCS1-v1_5 algorithm. The steps to construct and verify the digital signature are defined below.

Modifications to Signature Algorithm

The digital signature algorithm defined in Section 7.1: Signature Algorithm takes tbs, a privateKey, and options as inputs and produces a signatureValue as output.

Take tbs, which is the data to be signed, as input and generate a JOSE Web Signature structure where the headers are: {"alg":"RS256","b64":false,"crit":["b64"]} and the payload is a URL-safe Base64 encoding of tbs.
Perform the RS256 JSON Web Signature digital signature algorithm specified in Section 3.3 of [[RFC7518]] and return the result as signatureValue.

Modifications to Signature Verification Algorithm

The digital signature algorithm defined in Section 7.2: Signature Verification Algorithm takes the value to be verified, tbv, the public key to the signature algorithm and returns a boolean value.

Take tbv and perform the RS256 JSON Web Signature digital signature verification algorithm specified in Section 3.3 of [[RFC7518]]. If the result is a valid signature, return true, otherwise return false.

Security Considerations

The following section describes security considerations that developers implementing this specification should be aware of in order to create secure software.

TODO: We need to add a complete list of security considerations.

Examples

A simple example of an RSA 2018 signature:

{
  "@context": ["http://schema.org/", "https://w3id.org/security/v1"],
  "description": "Hello world!",
  "proof": {
    "type": "RsaSignature2018",
    "created": "2017-10-24T05:33:31Z",
    "creator": "https://example.com/jdoe/keys/1",
    "domain": "example.com",
    "signatureValue": "eyiOiJJ0eXAK...EjXkgFWFO"
  }
}