Home > Cryptography > Digital signatures

Digital signatures

September 28th, 2007
Goto comments Leave a comment

A digital signature is a block of data that was created using a secret key, and for which a public key can be used to verify that the signature was generated using the corresponding private key. The algorithm used to generate the signature must be such that without knowing the secret key, it is not possible to create a signature that would verify as valid.

Digital signatures are used to

  • verify that a message really comes from the claimed sender (assuming that only the sender knows the secret key corresponding to his/her public key)

  • time-stamp documents
    A trusted party signs the document and its time stamp with his/her secret key, thus testifying that the document existed at the stated time.

  • testify (or certify) that a public key belongs to a particular person
    This is done by signing the combination of the key, and the information about its owner, by a trusted key. The reason for trusting that key may again be that it was signed by another trusted key. Eventually, some key must be a root of the trust hierarchy (that is, it is not trusted because it was signed by somebody, but because you believe a priori that the key can be trusted). In a centralized key infrastructure, there are very few roots in the trust network (e.g., trusted government agencies). Such roots are also called certification authorities. In a distributed infrastructure, there need not be any universally accepted roots, and each party may have different trusted roots (such as the party’s own key and any keys signed by it). This is the web of trust concept used in, for example, PGP.

A digital signature of an arbitrary document is typically created by computing a message digest from the document, and concatenating it with information about the signer, a time stamp, and/or other data. The resulting string is then encrypted using the private key of the signer, using a suitable algorithm. The resulting encrypted block of bits is the signature. It is often distributed together with information about the public key that was used to sign it.

To verify a signature, the recipient first determines whether it trusts that the key belongs to the person it purports to belong to (using the web of trust or a priori knowledge), and then decrypts the signature using that person’s public key. If the signature decrypts properly and the information matches that of the message (proper message digest, etc.), the signature is accepted as valid.

Several methods for making and verifying digital signatures are freely available. The most widely known algorithm is RSA.



Computer security Cryptography , , ,