What Are Digital Signatures?
A digital signature does not involve taking your handwritten signature and scanning it into your computer; however, it is similar. A digital signature is unique to you, like a fingerprint or a handwritten signature is. A digital signature is a seal put on a digital piece of information (such as a file or an e-mail message). As an example, a digital signature can be attached to an electronic transaction (such as an e-mail) to let the recipient of the transaction know with a high degree of certainty that it was really you who sent it. Let's take a look at what makes digital signatures work.
Digital signatures are a byproduct of public key cryptography. We have been discussing public key cryptography as it relates to PGP, SSL, and digital certificates. In all cases, public key cryptography remains the same. It allows security and privacy of information exchanges by allowing you to possess two keys: a public key and a private key. Bob distributes the public key to anybody who will be communicating with him, such as Alice, and he keeps the private key to himself. Alice, in turn, uses the public key to encrypt data that is destined for Bob. When Bob gets the encrypted data, only he can decrypt it by using his private key. Nobody else has his private key, and security is maintained because the public key does not jeopardize the private key.
A digital signature is made by first producing a one-way hash (a unique identifier, similar to a fingerprint) of the original data and then encrypting that hash with the private key. Let's make sense of this sentence now. Remember that this process is the same whether using PGP or an X.509-based digital certificate. Bob wants to send Alice a signed e-mail message so that she knows with a high degree of certainty that it was really sent by Bob. Bob composes his e-mail message, clicks the Sign the Message button, and clicks Send. The following steps happen next:
1. |
The contents of the message are calculated with a mathematical equation to produce a unique hash (see the Chapter 12 section “Hashing Algorithms”). This unique hash is like a fingerprint for the message. If a single letter in Bob's message were to be changed, a recalculated hash would be completely different from the original. |
2. |
This unique hash is then encrypted with Bob's private key. This keeps the hash private and secure while it is being delivered. It is encrypted in such a way that only Bob's public key will be able to decrypt it. This “encrypted hash” is essentially the digital signature. |
3. |
Alice receives the message and her e-mail software recognizes that a digital signature is associated with it. Because the message is from Bob, her software uses his public key to decrypt the digital signature and reveal the original, unique hash. Her software then performs the same calculation on the message to produce a new hash. The new hash is compared against the original hash. If the two match, it is determined that the message is authentic (really sent by Bob) and it has not been tampered with along the way. If the messages do not match, then either the message has been tampered with and modified, or the message might have been created with a private key that doesn't correspond to Bob's public key. |
Although encryption and decryption solve the problem of privacy by preventing outsiders from reading data sent to you, they do not by themselves address the problem that the data can be modified in transit, or that the data is actually from who you think it is from. That is where digital signatures step in. These little fingerprints actually solve two major security problems:
Tamper detection
Identification and authenticity
Digital signatures are comparable to handwritten signatures. Handwritten signatures are used to validate credit card purchases, contract agreements, and many other documents. They provide a high degree of non-repudiation. That is, after you have signed a document, it is difficult for you to deny having signed it later. The same holds true for digital signatures. Provided that your private key is not lost, stolen, or compromised, a digital signature can be considered as unique and legally binding (in some cases) as your handwritten signature.
Why would you want to use digital certificates and signatures? Here are some reasons:
To build trusted relationships online
To prove your identity online
To verify other people's identity online
To prove that messages exchanged have not been tampered with
To keep communications private and unreadable by eavesdroppers
To protect yourself and your family