I need to sign XML SAML message with the SAML 2.0 standardised algorithm (RSAwithSHA256). But my saml plugin (passport-saml) only seems to support sha1 and sha256. The SHA256 sounds pretty close to RSAwithSHA256, but probably is not the same thing? What is the difference, and how could I use RSAwithSHA256 instead? I probably need to edit the passport-saml library, to allow the use of RSAwithSHA256 algorithm?

I need to sign XML SAML message with the SAML 2.0 standardised algorithm (RSAwithSHA256). But my saml plugin (passport-saml) only seems to support sha1 and sha256. The SHA256 sounds pretty close to RSAwithSHA256, but probably is not the same thing? What is the difference, and how could I use RSAwithSHA256 instead? I probably need to edit the passport-saml library, to allow the use of RSAwithSHA256 algorithm?

• javascript
• passport.js
• saml-2.0
• sha256
• rsa-sha256

Share Improve this question Follow asked Jun 21, 2016 at 10:06 Ville Miekk-ojaVille Miekk-oja 21.1k3434 gold badges7979 silver badges117117 bronze badges 0

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 7

I try to explain the differences, but not how to solve your issue.

RSA is a Public Key Cryptographic algorithm (Public and Private Key-Pair algorithm) and it assures Confidentiality, Authenticity (includes Identification) and Non-Repudiation.

SHA-256 is a Hashing algorithm, that produce a unique, fixed size 256-bit (32-byte) hash and it assures Message Integrity.

Hashing algorithm employed as follows,

1. Sender sends message and its hash to receiver. [Hashing employed]
2. Receiver hash the message to generate new hash. [Hashing employed]
3. Receiver check whether the new hash is equal to original hash.
   • If its equal, then message integrity is confirmed and receiver process the message further.
   • If its unequal, then message is tampered and receiver discard the message.

Here, how receiver confirms that message and its hash are indeed sent by expected sender? There is no authentication or identification of sender by receiver in the above case.

To do that, we have to use both Public Key Cryptography and Hashing Algorithms (like RSAWithSHA256) together to satisfy the above said requirement.

So, when employ Public Key Cryptography and Hashing Algorithms together,

1. Sender sends message and its encrypted hash (using private-key of sender) to receiver. [Encryption and Hashing employed]
2. Receiver decrypt the encrypted hash (using public-key of sender). [Decryption and Hashing employed]
3. Receiver hash the message to generate new hash. [Hashing employed]
4. Receiver check whether the new hash is equal to decrypted hash.
   • If its equal, then message integrity, authenticity and identification of sender is confirmed and receiver process the message further.
   • If its unequal, then message is tampered or not sent by intended sender (since encrypted hash is not generated with private-key of expected sender) and receiver discard the message.