Digital sigining - distributed environment - seperate hashing and signing

I need to digitally sign a data packet of size 50 MB in a distributed environment. Signing takes place at the central server and the clients will be sending the data packets to the central server. I wanted to avoid the bottlenecks in the network by sending huge packets of data.

My question is

1. Can i g开发者_StackOverflowenerate the Hash at the client end and just send the hash to the central server for signing?
2. Is there any security flaws in this approach?

Thanks

You can sign the hash received from the client, yet there's a security problem here -- you need to find a way to ensure that the hash is derived from the data that is authorized to be hashed. Imagine the situation where your server uses corporate certificate to sign executables that your dev.team compiles. Now a hacker creates a troyan and finds a way to send signing request (by passing only the hash) to your server. And he gets a troyan, signed using your company certificate. This is less real for external attacks, but not for internal ones.

Blindly signing a hash seems like a risky proposal. There are a few questions that seem pertinent in this situation:

• Are the clients "trusted"?
• Is the communications channel trusted?
• Does the server perform any verification of the data that it receives and signs?

The last one may be the most critical. If the server does not verify the data and just blindly signs it, then it probably is not really any different than blindly signing a hash. Either process allows anyone to get any piece of data signed.