I'm evaluating TurboPower LockBox library for digital signing. I've created a 1024 bit RSA key and tried to sign a 260 bytes of text with it. After changing one or two characters in the text the signature is still valid for it. Is that ok? Or maybe it's a problem with this library. Changing even one character has a crucial effect. Do I need to create a larger key?
UPDATE
To test the library I used the demo application that comes with it. I have generated a 1024 RSA key pair and then tried the digital signing functions. First I've tried with a real 260 bit text file and found out that I can change some characters in it and the signature was still valid. Then I narrowed it a bit to the followinf string:
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAA 8
And it still works when I'm changing the '8' character. I could probably narrow it even more.
The code that performs the validation is:
Signatory1: TSignatory;
....
var
DocumentStream, SignatureStream: TStream;
....
DocumentStream := TFileStream.Create( edtRSADocumentFile.Text, fmOpenread);
try
SignatureStream := TFileStream.Create( edtRSASignatureFile.Text, fmOpenread);
try
Res := Signatory1.Verify( DocumentStream, SignatureStream)
finally
SignatureStream.Free
end;
finally
DocumentStream.Free;
end;
LockBox 3 has a bug in the implementation of digital signature component. LockBox 2.07 can correctly sign and verify signatures, but loading/saving keys doesn't work in Delphi 2010.