Search This Blog

Sunday, April 28, 2013

Digital Signature

Summary: A short explanation what is digital signature and how it works.

Introduction

In general the security includes following aspects:
  • Confidentiality - to protect messages from unauthorized access.
  • Integrity - to protect messages from unauthorized manipulation.
  • Authenticity - to verify identity of communicating parts. (If they are who they are saying they are.)
The digital signature is a solution covering Integrity and Authenticity. It means a digitally signed data is protected from unauthorized modification and it is also possible to verify the identity of its author.
The digital signature (if not combined with encrypting of the message) does not protect data from unauthorized access. The digitally signed data can be read by anybody but it is possible to verify its author and check if the content was not altered by somebody else.

How Digital Signature Works

The digital signature uses so called asymmetric encryption (e.g. RSA or DSA) which contains two encryption keys:
  • Private key - the secret key available only to its owner.
  • Public key - the key available for everybody.
Private and public keys are related to each other. What is encrypted by the public key can be decrypted only by the corresponding private key and vice versa.
E.g. if John encrypts the message using Peter's public key then only Peter can decrypt it because only he has the corresponding private key.
But it works also other way around. If Peter encrypts something with his private key then only corresponding public key can decrypt it. And exactly this is used for the digital signature. The main idea is if I can decrypt it by Peter's public key then I know it had to be encrypted by Peter because only he has the private key => therefore I am able to identify it was Peter who encrypted it.

The digital signature uses the same principle. The difference is it does not encrypt the message but it calculates the checksum from data and the checksum is then encrypted by signer's private key. This encrypted checksum is what is called the digital signature.

Signing data:
  1. The checksum (e.g. SHA1) is calculated from data.
  2. The checksum is encrypted by the signer private key => this encrypted checksum is the digital signature.
  3. The data is provided together with the digital signature.

Reading signed data:
  1. The checksum is calculated from received data.
  2. Signer's public key is used to decrypt the checksum (digital signature) coming with data.
  3. If the decrypted checksum is the same as the checksum calculated in the step 1 then data is not altered and it originates from the declared sender.
So, in order to decrypt the digital signature we need to know who signed data and then use his public key. Therefore we need a mechanism how to get the signer's public key. Important is this mechanism must be safe ensuring the public key really belongs to the signer. E.g. if somebody is able to hack the system and replace Peter's public key then this person can digitally sign data with his own private key (which corresponds with the fake public key) under Peter's name. Then if somebody reads such massage from "Peter" he would not be able to recognize something is wrong because the hacked system would provide him the fake public key that would be able to decrypt the fake signature - the signature verification would pass successfuly.

The mechanism providing the safe connection between the signer identity and his public key is called Digital Certificate.

Digital Certificate

The digital certificate is like an ID card identifying its owner. It safely binds the public key with the particular signer (e.g. person, company or organization). The digital certificate is typically issued by a trusted authority. This authority is called Certificate Authority (CA). It means there is a mutually trusted third party that can be asked to create the digital certificate. This trusted authority verifies the real identity of the applicant and then generates the private and corresponding public keys. The name of the owner and other public information including the public key and the validity time is then digitally signed by the certificate authority and put into one file which is called the public digital certificate.
Therfore, the applicant receives two things from the certificate authority. The private key and the public digitial certificate.
The trick is the public certificate is digitally signed by the certificate authority so it is not easy to alter the name and the associated public key inside. E.g. if somebody changes the public key or the name the digital signature from the certificate authority would not match anymore.

The owner of the cerificate can sign data with his private key and then attach his public certificate directly to signed data. The reader then uses the attached certificate to obtain the public key to decrypt the signature.

Signing and using the digital certificate:
  1. The checksum (e.g. SHA1) is calculated from data.
  2. The checksum is encrypted by the signer private key => this encrypted checksum is the digital signature.
  3. The data is provided together with the signature and the digital certificate.

Reading of signed data with attached certificate:
  1. The validity of the attached certificate is evaluated. It means if the certificate was issued by a trusted authority. If the certificate was not altered and if the certificate is valid.
  2. The checksum is calculated from received data.
  3. The public key from the certificate is used to decrypt the digital signature (checksum) attached to the message.
  4. If the decrypted checksum is the same as the checksum calculated in the step 1 then data is not altered and it originates from the declared sender.


3 comments:

  1. This short explanation is very powerful. It helped me to learn so much about digital signatures and the complete process of how they work. Thanks for this great piece of information.
    electronic signature

    ReplyDelete
  2. Nice Job !!

    Thanks for sharing a valuable information. We are regular blog reader and see this post is very helpful for Digital Signature buyer. Anyone can easy to understand all feature about digital signature by reading this info.

    Keep up to date info....... about Digital Signature

    ReplyDelete
  3. Very Nice Blog Post !

    I read your blog information and feel very happy and satisfaction. I aspect all blogger reader will be happy.

    Thanks for sharing a valuable info..............

    Digital Signature Solution

    ReplyDelete