Technology >> Digital Signatures
Digital Signature

A digital signature is a small amount of data that was created using some secret key, and there is a public key that can be used to verify that the signature was really generated using the corresponding private key. The algorithm used to generate the signature must be such that without knowing the secret key it is not possible to create a signature that would verify as valid.

Digital signatures are used to verify that a message really comes from the claimed sender (assuming only the sender knows the secret key corresponding to his/her public key). They can also be used to timestamp documents: a trusted party signs the document and its timestamp with his/her secret key, thus testifying that the document existed at the stated time.

Digital signatures can also be used to testify (or certify) that a public key belongs to a particular person. This is done by signing the combination of the key and the information about its owner by a trusted key. A digital signature of an arbitrary document is typically created by computing a message digest from the document, and concatenating it with information about the signer, a timestamp, etc. The resulting string is then encrypted using the private key of the signer using a suitable algorithm. The resulting encrypted block of bits is the signature. It is often distributed together with information about the public key that was used to sign it. To verify a signature, the recipient first determines whether it trusts that the key belongs to the person it is supposed to belong to (using the web of trust or a priori knowledge), and then decrypts the signature using the public key of the person. If the signature decrypts properly and the information matches that of the message (proper message digest etc.), the signature is accepted as valid.

A digital signature is created as follows:
  • A "digest" of the data is created. The digest is a short length of binary information and is based entirely on the contents of the data. A hashing algorithm such as MD4 or SHA is used to create the "hash" or digest. Hashing algorithms are designed such that changing just one character in the message would result in a different hashed value.
  • The hash is then encrypted using the private key of the person who is sending the message.
  • The encrypted digest is known as a "digital signature" and is attached to the message when it is sent.
When the message is received:
  •  A hash of the message is again created, using the same hashing algorithm.
  • The sender's public key is used to decrypt the digital signature, and this is compared to the digest of the message that has been generated by the receiver's software.
  • If both hashes are the same, then the data in the message has not been altered during transmission.
Given that only the owner of the digital certificate can create the digital signature (because they are the only person who has access to their private key), attaching a digital signature to a transmission also proves the identity of the person who sent it.

Several methods for making and verifying digital signatures are available. The most widely known algorithm is RSA.
Digital Certificates
A meaning for "certificate" is "A document testifying to the truth of something". A digital certificate is an electronic "certificate" that contains information about a user and is used (among other things) to verify whom the user is. Digital certificates make use of Public Key Cryptography. The public key is stored as part of the digital certificate. The private key is kept on the user's computer, or in some hardware such as smart cards, i-keys etc.

Digital certificates are based on the IETF X.509 series of documents.

The main uses of digital certificates are:

  • Proving the identity of the sender of a transaction, non-repudiation and checking the integrity of transmitted data (via the use of digital signatures).
  • Encryption
  • Single sign-on (the digital certificate can be used as an authorization key to connect to computer systems.)
If digital certificates are to be used for security and identification purposes, all of the following conditions must be met:
  • Every certificate is unique.
  • The owner of a certificate has been fully identified. All digital certificates are signed by the Certificate Authority (CA) that issues it. In issuing a certificate, the CA is basically saying that they have identified the user, and the user really is who they claim to be. To be able to trust a digital certificate, the CA needs to have fully identified the customer before issuing the certificate (or be satisfied that some other entity has adequately performed such identification).
A private key can only be used by the owner of the certificate. As with all authentication schemes, the onus is on the user to keep the private key private. Usually a password, a smart card or biometric device is used to lock the private key and prevent others from using it.