数字签名
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
借助数字签名基元,您可以验证是否有人篡改了您的数据。它可确保已签名数据的真实性和完整性,但不能保证其私密性。它是非对称的,也就是说,它使用一对密钥(公钥和私钥)。
数字签名基元具有以下属性:
- 真实性:除非您拥有私钥,否则无法创建可供
PublicKeyVerify.Verify(signature, message)
进行验证的签名。
- 非对称:创建签名所用的密钥与验证签名所用的密钥不同。这样,您就可以将公钥分发给无法自行创建签名的各方,以便他们验证签名。
如果您不需要不对称性,不妨改用更简单、更高效的 MAC 基元。
数字签名的功能在 Tink 中表示为一对基元:
- 用于对数据进行签名的 PublicKeySign
- 用于验证签名的 PublicKeyVerify
选择密钥类型
对于大多数用例,我们建议使用 ECDSA_P256,但您也可以选择其他选项。一般来说,以下情况成立:
- ECDSA_P256 是最常用的选项,也是合理的默认选项。不过请注意,ECDSA 签名是可变的。
- ED25519 会创建确定性签名,并且比 ECDSA_P256 提供更好的性能。
- RSA_SSA_PKCS1_3072_SHA256_F4 会创建确定性签名,并提供最佳验证性能(但签名速度比 ECDSA_P256 或 ED25519 慢得多)。
最低安全保障
- 要签名的数据可以是任意长度
- 128 位安全级别,可针对基于椭圆曲线的方案防范自适应选择性消息攻击
- 112 位安全级别,可针对基于 RSA 的方案防范自适应选择消息攻击(允许使用 2048 位密钥)
可塑性
如果攻击者可以为已签名的消息创建不同的有效签名,则签名方案是可变的。虽然在大多数情况下这不是问题,但在某些情况下,程序员会隐式假定有效的签名是唯一的,这可能会导致意外结果。
用例示例
请参阅对数据进行数字签名。
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-07-25。
[null,null,["最后更新时间 (UTC):2025-07-25。"],[[["\u003cp\u003eDigital signatures ensure data integrity and authenticity by verifying that data hasn't been tampered with.\u003c/p\u003e\n"],["\u003cp\u003eThey use a pair of keys (public and private) for asymmetric signing and verification, allowing for secure distribution of the public key.\u003c/p\u003e\n"],["\u003cp\u003eTink provides two primitives for digital signatures: \u003ccode\u003ePublicKeySign\u003c/code\u003e for signing and \u003ccode\u003ePublicKeyVerify\u003c/code\u003e for verifying.\u003c/p\u003e\n"],["\u003cp\u003eECDSA_P256 is generally recommended, with ED25519 offering better performance and RSA_SSA_PKCS1_3072_SHA256_F4 providing the fastest verification.\u003c/p\u003e\n"],["\u003cp\u003eDigital signatures in Tink guarantee a minimum of 112-bit security and support data of any length.\u003c/p\u003e\n"]]],["Digital signatures ensure data authenticity and integrity using asymmetric key pairs (public and private). `PublicKeySign` signs data, while `PublicKeyVerify` checks signatures. Key options include the widely used ECDSA_P256, faster ED25519, and high-verification-performance RSA_SSA_PKCS1_3072_SHA256_F4. Signatures offer 128-bit security (elliptic curves) or 112-bit security (RSA). ECDSA signatures are malleable, allowing attackers to forge valid signatures. If asymmetry is not needed consider using MAC.\n"],null,["# Digital Signature\n\nThe Digital Signature primitive lets you verify that no one has tampered with\nyour data. It provides authenticity and integrity, but not secrecy, of the\nsigned data. It is asymmetric, meaning it uses a pair of keys (public key and\nprivate key).\n\nThe Digital Signature primitive has the following properties:\n\n- **Authenticity** : It is impossible to create a signature for which `PublicKeyVerify.Verify(signature, message)` validates, unless you have the private key.\n- **Asymmetric**: Creating the signature uses a different key than verifying it. This lets you distribute the public key to verify signatures to parties that can't create signatures themselves.\n\nIf you don't need asymmetry, consider using the simpler and more efficient\n[MAC](/tink/mac) primitive instead.\n\nThe functionality of digital signatures is represented in Tink as a pair of\nprimitives:\n\n- *PublicKeySign* for signing data\n- *PublicKeyVerify* for verifying the signature\n\n### Choose a key type\n\nWe recommend using **ECDSA_P256** for most use cases, but there are a variety of\noptions. In general, the following holds true:\n\n- ECDSA_P256 is the most widely used option and a reasonable default. Note though that ECDSA signatures are [malleable](#malleable).\n- ED25519 creates deterministic signatures and provides better performance than ECDSA_P256.\n- RSA_SSA_PKCS1_3072_SHA256_F4 creates deterministic signatures and provides the best verification performance (but signing is much slower than ECDSA_P256 or ED25519).\n\n### Minimal security guarantees\n\n- Data to be signed can have arbitrary length\n- 128-bit security level against adaptive chosen-message attacks for elliptic curve based schemes\n- 112-bit security level against adaptive chosen-message attacks for RSA based schemes (allows 2048-bit keys)\n\n### Malleability\n\nA signature scheme is malleable if an attacker can create a different valid\nsignature for an already signed message. While this is not a problem for most\nscenarios, in some cases programmers implicitly assume that valid signatures are\nunique, and this can lead to unexpected results.\n\n### Example use case\n\nSee I want to [digitally sign data](/tink/digitally-sign-data)."]]