Adding Signatures to Signed Messages

TL;DR

No, you generally cannot add a new signature to an already signed message without invalidating the original signature. Digital signatures rely on hashing the entire message content. Changing the message – even by adding a signature – alters the hash and makes the existing signature incorrect.

Understanding Digital Signatures

Before we look at why you can’t just ‘add’ a signature, let’s quickly recap how digital signatures work:

• Hashing: The message is run through a cryptographic hash function (like SHA-256). This creates a unique “fingerprint” of the message.
• Encryption with Private Key: The hash is then encrypted using the sender’s private key. This encrypted hash is the digital signature.
• Verification with Public Key: Anyone can use the sender’s public key to decrypt the signature and compare it to a newly calculated hash of the message. If they match, it proves:
  • The message hasn’t been altered since it was signed.
  • The signature came from someone with access to the sender’s private key.

Why Adding a Signature Breaks Things

Adding a signature changes the content of the message. This means:

• Hash Change: The new hash value will be different from the original hash value used to create the existing signature.
• Verification Failure: When someone tries to verify the signature, they’ll calculate a new hash based on the modified message (including the added signature). This won’t match the decrypted signature, and verification will fail.

What are your options?

If you need to add authentication or integrity checks after signing, here are some approaches:

1. Sign a Container Format

1. Wrap the Message: Instead of signing the message directly, put it inside a container format (like JSON).
2. Add Signature Field: Include a field in the container specifically for the signature.
3. Sign the Whole Container: Sign the entire container – including the original message and the signature field itself.

Example (JSON):

{
  "message": "This is the original message.",
  "signature": "Existing Signature Value"
}

You would then sign this entire JSON structure.

2. Use a Separate Signing Mechanism

1. Sign Separately: Sign the original message as you normally would.
2. Add Signature Alongside: Store the signature separately from the message (e.g., in a different file or database field).
3. Verify Independently: Verify the signature independently of any changes to the original message content.

This approach keeps the integrity checks separate, avoiding the hash collision issue.

3. Re-sign with New Content

1. Concatenate Message and Signature: Combine the original message with the new signature you want to add.
2. Re-hash and Sign: Calculate a new hash of this combined content, then create a new digital signature based on that hash.

This is effectively creating a completely new signed document.

4. Consider Message Digests

If you only need to verify the message hasn’t changed, and don’t require full cryptographic authentication, consider using a message digest (like SHA-256) as a checksum. However, this doesn’t provide non-repudiation like a digital signature.

Important Considerations for cyber security

• Key Management: Securely store and manage your private keys.
• Algorithm Choice: Use strong cryptographic algorithms (e.g., SHA-256 or higher for hashing, RSA with appropriate key length or ECDSA).
• Implementation Security: Ensure your signing and verification code is free from vulnerabilities.