signing protobuf messages

1,801 views
Skip to first unread message

maxwolf

unread,
Mar 18, 2010, 1:36:02 PM3/18/10
to Protocol Buffers
Hello,

I wonder if protobuf messages are safe to be crypto signed? More
precisely - will certain message serialized from the same set of field
values be exactly the same for every platform/language?

Henner Zeller

unread,
Mar 18, 2010, 2:01:10 PM3/18/10
to maxwolf, Protocol Buffers
On Thu, Mar 18, 2010 at 10:36, maxwolf <wax...@gmail.com> wrote:
> I wonder if protobuf messages are safe to be crypto signed?

If you just sign the content of a message, then this should be an
operation that should not require that a message is generated the same
for different implementations, right ? Meaning, you have some binary
encoded message generated by some implementation and its signature so
you can compare if that content is indeed signed by the owner. You
directly compare that binary encoding with that signature.

But looks like you're looking for a bit stronger guarantee: that you
can just operate only on the hash of some message and want that to be
identical for messages with the same content generated by different
implementations.

> More
> precisely - will certain message serialized from the same set of field
> values be exactly the same for every platform/language?

The encoding scheme does not enforce this per se: it is entirely valid
to send fields in a different order over the wire and thus have
equivalent messages whose binary encoding is different.
However, all current Google implementations actually encode the same
messages the same way - I guess too many people relied on being able
to reliably store hash values of messages (Kenton needs to confirm
this, but I am pretty sure).
With other words: there is no strong guarantee but in practice, it works :)

-h

Kenton Varda

unread,
Mar 18, 2010, 3:29:12 PM3/18/10
to Henner Zeller, maxwolf, Protocol Buffers
All implementations are advised to output tags in order by field number, in which case they should all produce the same bytes...  unless there are unknown fields, which are always written at the end.  In C++ you can use DiscardUnknownFields() to make sure all unknown fields are discarded.

But I would suggest not relying on this when doing cryptography.  You can sign your serialized message, and send around the serialized bytes with the signature.  People can verify the signature against the serialized bytes, then parse it.


--
You received this message because you are subscribed to the Google Groups "Protocol Buffers" group.
To post to this group, send email to prot...@googlegroups.com.
To unsubscribe from this group, send email to protobuf+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/protobuf?hl=en.


maxwolf

unread,
Mar 19, 2010, 7:02:13 AM3/19/10
to Protocol Buffers
Thanks for the clarification! My initial intent was not to store a
whole dump of message (to DB) but only field values and the signature.
It seems that this is not the case, at least if I want to be on a safe
side...


On Mar 18, 10:29 pm, Kenton Varda <ken...@google.com> wrote:
> All implementations are advised to output tags in order by field number, in
> which case they should all produce the same bytes...  unless there are
> unknown fields, which are always written at the end.  In C++ you can use
> DiscardUnknownFields() to make sure all unknown fields are discarded.
>
> But I would suggest not relying on this when doing cryptography.  You can
> sign your serialized message, and send around the serialized bytes with the
> signature.  People can verify the signature against the serialized bytes,
> then parse it.
>
> On Thu, Mar 18, 2010 at 11:01 AM, Henner Zeller <
>

> henner.zel...@googlemail.com> wrote:

> > protobuf+u...@googlegroups.com<protobuf%2Bunsu...@googlegroups.com>

Reply all
Reply to author
Forward
0 new messages