different RSA key size generates a digital signature with the same charachter lengeth?!!

Hello, new member over here with a noob question

I have the following Simple code to generate a digital signature, as far as I can understand only a hash of the message get encrypted but when I change the key size I still get the same length of characters in the digital signature! below is the code:

public class digitalsignature { public static void main(String[] args) throws Exception { KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); kpg.initialize(1024); KeyPair keyPair = kpg.genKeyPair(); byte[] data = "test".getBytes("UTF8"); Signature sig = Signature.getInstance("MD5WithRSA"); sig.initSign(keyPair.getPrivate()); sig.update(data); byte[] signatureBytes = sig.sign(); System.out.println("Singature:" + Base64.encodeBase64(signatureBytes)); sig.initVerify(keyPair.getPublic()); sig.update(data); System.out.println(sig.verify(signatureBytes)); } }

the output is:
Singature:[B@10b4199
true

but when changing the key size to 2048 the output has the same length!

public class digitalsignature { public static void main(String[] args) throws Exception { KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); kpg.initialize(2048); KeyPair keyPair = kpg.genKeyPair(); byte[] data = "test".getBytes("UTF8"); Signature sig = Signature.getInstance("MD5WithRSA"); sig.initSign(keyPair.getPrivate()); sig.update(data); byte[] signatureBytes = sig.sign(); System.out.println("Singature:" + Base64.encodeBase64(signatureBytes)); sig.initVerify(keyPair.getPublic()); sig.update(data); System.out.println(sig.verify(signatureBytes)); } }

the output this time is
Singature:[B@13a328f
true

I was expecting the digital signature length to increase but only the processing time has(which just natural), why is that?

thanks in advance

up!

Please read PatienceIsAVirtue and UseCodeTags. I have applied the latter for you.

You seem to assume that "sig.verify(signatureBytes).toString()" returns something useful; obviously, it does not.

Hello Dittmer,

Thank you for your reply

You seem to assume that "sig.verify(signatureBytes).toString()" returns something useful; obviously, it does not.

well that is not included in the code above, but anyway the result is"true"

My question is basically why the signature length has not increased when I changed the key size from 1024 to 2048?

Wikipedia says"If the unlock/decryption key is the one published then the system serves as a signature verifier of documents locked by the owner of the private key. Although in this latter case, since encrypting the entire message is relatively expensive computationally, in practice just a hash of the message is encrypted for signature verification purposes."

so my understanding is the message will be hashed to a fixed character length no matter how long the message is(which is 32 characters using MD5). Then this hash will get encrypted (RSA encryption) in my example. I have tried both key sizes and still got the same length of characters in the signature, I was expecting it to increase by using 2048 bit but it has not(the output is 10 characters long regardless of the size of the key) and this is what is puzzling me.

Can you please clarify what I am missing/misunderstanding?

You seem to assume that "sig.verify(signatureBytes).toString()" returns something useful; obviously, it does not.

well that is not included in the code above

Sorry about that, copy/paste error. That should have read:

You seem to assume that "Base64.encodeBase64(signatureBytes).toString()" returns something useful; obviously, it does not.

Sorry about that, copy/paste error. That should have read:

You seem to assume that "Base64.encodeBase64(signatureBytes).toString()" returns something useful; obviously, it does not.

Make as much errors as you want mate.....I am here to benefit from your experience not the opposite

still in the code I did not include the(.toString()). I have only used the Apache encoding scheme which has outputted the signature and the rest of the code has verified it with the public key to be true(matching).

I feel that you have not understood my question because it has nothing to do with your appreciated response. I repeat my question is why the signature character length has not increased when using a bigger key? it is the encryption of the fixed length hash what I mean.

Please be more generous by responding with a bit more lengthy explanation. I am a beginner and I do not understand the hints behind those"telegraphic responses"

still in the code I did not include the(.toString()).

Yes, you did. That's what System.out.println does - it calls the toString method. Sometimes that method returns something useful, but in this case it doesn't. It certainly does not do what you would have liked to happen, which is to print the contents of the byte[]. You need to find some other way of examining what the result contains - maybe assign it to a variable, and then look at its length and contents.

I am a beginner

I don't mean to sound rude, but that being the case you should not be in charge of implementing security. It's all too easy to put in place insecure systems, especially if you come by them in a trial-and-error approach.

Hello Tim,

thank you very much now I understand what I have been doing wrong. I am very pleased thank you again. here is the code if someone encounter the same problem. please note that this is a just a simple example!

public class digitalsignature { public static void main(String[] args) throws Exception { KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); kpg.initialize(2048); KeyPair keyPair = kpg.genKeyPair(); byte[] data = "test".getBytes("UTF-8"); Signature sig = Signature.getInstance("MD5WithRSA"); sig.initSign(keyPair.getPrivate()); sig.update(data); byte[] signatureBytes = sig.sign(); int m =signatureBytes.length; String str = new String(Base64.encodeBase64(signatureBytes)); System.out.println(str); System.out.println(m); System.out.println("Singature:" + Base64.encodeBase64(signatureBytes)); sig.initVerify(keyPair.getPublic()); sig.update(data); System.out.println(sig.verify(signatureBytes)); } }

Now I do get different results from different sizes of key.

I don't mean to sound rude, but that being the case you should not be in charge of implementing security. It's all too easy to put in place insecure systems, especially if you come by them in a trial-and-error approach.

No am not in charge. I have BSC in information Systems(more oriented towards the people and the business side of computing). but recently I have applied for a job in a company that's main operation is securing data and voice communication for some international military organizations. it is a junior job but I wanted to study about cryptography to ease up the training period and make a good impression(i hope so). My main problem is that I am from Sudan and we have no access for those in-depth materials.Moreover because of the U.S embargo in Sudan we are not permitted to download java from oracle website but fortunately I have used some proxies to do so.

anyway thank you very much for your help. I really do appreciate it