Cryptography Public Key - Digital Signature (Signing)

About

A digital signature is:

Usage

Digital signature schemes are used for:

  • sender authentication (no one can impersonate the sender, it proves that the message came from a particular sender)
  • and non-repudiation (The sender cannot deny having sent the message)

Postal Analogy

An analogy for digital signatures is the sealing of an envelope with a personal wax seal. The message can be opened by anyone, but the presence of the unique seal authenticates the sender.

Key Usage

Asymmetric

In a asymmetric scheme (public key cryptography scheme), there is two keys:

  • the sender's private key signed the message (hash signatures are computed with the private key)
  • the sender's public key verifies the message (the receiver do it and it needs to know only the corresponding public key to verify the message)

An advantage of signing messages is that the public key and certificate are automatically send.

See also Public Key - Digital Signature

Symmetric

In a symmetric scheme, the same key is used to:

  • sign (create the hash)
  • verify (create the hash and verify that it's the same)

Example: JsonWebToken

Procedure

Signature

A signing algorithm given a message and a secret (private or shared key), produces a signature.

To sign a message, the sender

  • will compute the hash of the message with the secret
  • will add the encrypted hash (the signature) with the message.
  • will add its signed certificate to the message (in case of asymmetric scheme)

You can see an example of signature procedure with the issuing of certificate

Two ways

There are usually 2 ways to sign:

Signing method Message Human Readable Encryption difficulty
encapsulating the text message inside the signature (with delimiters) Yes Difficult
encoding the message altogether with the signature no (message has been tampered with) Simple (decryption with the embedded public key)

Verification

A signature verifying algorithm given a message, will either:

  • accepts: the signature hash is valid
  • or rejects: the signature hash is not valid)

the message's claim to authenticity:

The verification:

  • authenticate the sender. It proves that the sender had access to the shared or private key and is then a known sender
  • ensures that the message has not been altered. The signature is mathematically bound to the original message, the verification will fail for any other message (no matter how similar it is from the original one).

The recipient will:

  • recalculate the message hash,
  • decrypts the encrypted hash using:
    • the public key stored in the signed certificate (asymmetric scheme)
    • or the shared key (symmetric scheme)
  • check that both hash are equals
  • check the certificate (in case of asymmetric scheme)

1) 2)


Powered by ComboStrap