Cryptography - Digital Signature (Signing)

> Software Security > Cryptography - Key

1 - About

A digital signature is a mathematical scheme to prove a message came from a particular sender. Digital signature schemes can then be used for:

Digital Signature is a component of the public key cryptography scheme. See Public Key - Digital Signature

Advertising

3 - Postal Analogy

An analogy for digital signatures is the sealing of an envelope with a personal wax seal. The message can be opened by anyone, but the presence of the unique seal authenticates the sender.

4 - Key Usage

  • the sender's private key signed the message (signatures are computed with the private key)
  • the sender's public key verifies the message (the receiver do it and it needs to know only the corresponding public key to verify the message)

5 - Procedure

5.1 - Signature

A signing algorithm given a message and a private key, produces a signature.

To sign a message, the sender

  • will compute the hash of the message
  • will encrypt the hash with its private key,
  • will add the encrypted hash and its signed certificate with the message.

An other advantage of signing messages is that the public key and certificate are automatically send.

5.1.1 - Two ways

There are usually 2 ways to sign:

Signing method Message Human Readable Encryption difficulty
encapsulating the text message inside the signature (with delimiters) Yes Difficult
encoding the message altogether with the signature no (message has been tampered with) Simple (decryption with the embedded public key)
Advertising

5.2 - Verification

A signature verifying algorithm given the message, public key and signature, either accepts or rejects the message's claim to authenticity.

  • ie to verify whether the signature was valid
  • ie made by the owner of the corresponding private key

The verification:

  • authenticate the sender. It proves that the sender had access to the private key and is then a known sender
  • ensures that the message has not been altered. The signature is mathematically bound to the original message, the verification will fail for any other message (no matter how similar it is from the original one).

The recipient will:

  • recalculate the message hash,
  • decrypts the encrypted hash using the public key stored in the signed certificate,
  • check that both hash are equals

6 - Documentation / Reference

Advertising