What Are Digital Signatures?
A digital signature is a mechanism used to verify that a message, file, or other digital object has not been modified since it was signed. Second, it identifies the person (or persons) who signed the message, file, or other object.
You might be thinking, "Big deal!" You can make sure that a message or file hasn't been modified by making a hash of the message before sending it and then making a second hash after receiving it. You can then compare the two hashes to make sure that the message hasn't been modified.
To verify who created the first hash of the message, you could encrypt it using the sender's private key. This would mean that the recipient has to use the sender's public key to decrypt the hash before comparing the pre- and post-sending hashes. This process will verify who created the hash.
In a nutshell, this series of steps is what digital signatures do. A digital signature is created by first creating a hash of the message to be signed. The hash is then "signed" using the private key of the signer. This means that the hash is encrypted using an algorithm designed specifically for use in signing messages. This algorithm is designed not to keep the hash secret, but to prevent any possible modifications or other tampering with the hash. The whole process of creating a digital signature is illustrated in Figure 8.1.
Note
The primary aspect of digital signatures that has been left out of this description is the formatting of the signatures and signed messages. There are standard message formatting rules, which treat the entire signed message as a type structure, that you need to follow to be able to freely exchange signed messages with other people and applications. By using API functions that sign messages for you, the formatting is taken care of for you.
The signature is verified by the recipient creating his or her own hash of the original message. Then the new hash, the sender's public key (or rather the certificate that contains the sender's public key), and the signature are fed into a signature verification algorithm. This algorithm decrypts the signature using the sender's public key and then compares the hashes. If the hashes match, the signature is valid. This process is illustrated in Figure 8.2.
Figure 8.1. Creating a digital signature.
Figure 8.2. Verifying a digital signature.
Signatures can be packaged with the message or file that is being signed or can be kept separate. If a message or file needs to be signed by multiple people, it is often easier to keep the signatures separate from the message so that the later signers are not signing the signatures of the earlier signers. If this were the case, the signatures would have to be verified in a specific order and would be difficult to manage if you needed to be able to verify only a specific signature.