Some have a hard time understanding what a digital signature is. Obviously it is not a signature you created in Photo Shop and used as your Outlook signature. If it was that simple then people would have no confusion to begin with. In order to understand the digital signature you need to understand a little bit about encryption and keys. Imagine that you are sending a very important electronic message to someone; how do you prove to the receiver that it was definitely you that sent that message and no one has modified it on the way to the receiver. This is where digital signatures come into play. In the security world, a digital signature is identified as an integrity control. Digital signatures provide three very important functions.
Integrity: Receiver can detect whether the message has been modified Authentication: Can verify the identity of the sender who signed the message Nonrepudiation: Sender cannot claim later that he/she did not send the message
This is why the digital signature is a critical piece of security controls today. Let’s discuss some of terminology here. We use encryption algorithms to encrypt a message and send the key to the receiver to decrypt the message. There are two types of algorithms; symmetric and asymmetric. In symmetric algorithms there is a single key involved between both the sender and the receiver known as a secret key. In asymmetric algorithms, or public key systems, there are two keys involved; public and private keys. As the names imply a public key can be known by everyone while the private key is just that; private. Public keys are listed in public directories and available to anyone who wants to communicate with a person securely. Anyone can have a key pair with a public and private key respectively. Public key cryptography is a whole different subject, but while we are within the context of digital signatures let’s focus on just the private key. There is another term that needs to be understood before defining a digital signature. A “one-way hash” is a function that takes a variable length of a message and produces a fixed length of a string. We call this value a hash value of the message. Security algorithms such as MD family, SHA and HAVAL can be used for one way hashing.
So what exactly is a digital signature then? It’s a hash value of a message that has been encrypted with a private key. So how does this provide integrity, authentication and nonrepudiation? For example, if you are sending a message to person A then you would first pass the message through a one way hashing algorithm and then the hash value will be encrypted with your private key to produce the digital signature. You would then send the message along with your digital signature to person A. Upon receival of the message by person A, A would run the message through the same hashing algorithm and produce a hash value. Then A will decrypt the sent digital signature with the sender’s public key as it is freely available. If the two hash values are the same then person A concludes that the message has NOT been modified by someone else on the way to A. This confirms the integrity of the message. Since private key belongs only to the sender and no one else has access to it, it is proven that ONLY the sender has sent the message, and therefore it verifies the authentication. This also proves that nonrepudiation is a result of signing the hash value and that the sender cannot claim later that he/she did not send the message. The digital signature only provides integrity, authentication and non-repudiation; it does NOT provide the confidentiality of the message. One would need to encrypt the message along with the digital signature to achieve solid security for the message.
I hope that you now have some understanding about digital signatures and why they are very important in the information security world.