Digital Signature

A Digital Signature is not your handwritten signature scanned into a jpeg. That is not bound to you in any way, and anyone can affix it to a document.

A real Digital Signature is a binary object that is bound to you, that only you can affix to a document (since you are the only person that has your private key), and anyone can verify that it is your digital signature. Furthermore, a Digital Signature provides message integrity, so any change at all to the document since you signed it can be easily detected by anyone.

You create a message digest of the document you want to sign, then encrypt that using some asymmetric key algorithm and your private key. The encrypted message digest is your digital signature. Anyone can validate your signature by decrypting the signature using your public key (after validating your certificate). This yields the recovered message digest. They then produce a new message digest of the received document. If those two digests match, it’s a valid signature. This provides the recipient with three things:

    • Sender Authentication – nobody but you could have produced a signature that validates with your digital certificate (since only you have the necessary private key to to this).
    • Message Integrity – had their been any changes whatsoever to the message after you signed it, the signature would fail. It cannot prevent changes to the message, but it can definitely detect them – even a single bit in a digital copy of War and Peace.
    • Non-repudiation – since you are the only one who could have signed it, you cannot repudiate it having come from you. Don’t sign any message that might incriminate you!

Note that a digital signature does not provide any privacy. That requires a digital envelope. The Message (M) is still in plaintext and anyone can read it. It cannot detect whether anyone has read your message along the way.

Creating a Digital Signature

Alice (the sender) produces a digest (MD) from the message (M).

The MD is encrypted using RSA and Alice’s private key, producing the signature (EMD for Encrypted Message Digest).

The message (M), the signature (EMD) and the Alice’s certificate (Cert) are then sent to Bob.

Validating a Digital Signature

Bob receives the Message (M), the Signature (EMD) and Alice’s Certificate (Cert) from Alice.

He generates a new message digest (MD’) from the Message  (M).

He extracts Alice’s public key (Kpub) from her certificate (after validating it)

He then decrypts the signature (EMD) using RSA-1 and Alice’s public key (Kpub), which yields the recovered message digest (MD”)

Finally he compares MD’ and MD”. If they match, it’s a good signature.

Uses of Digital Signatures

Digital Signatures are used in S/MIME Email to authenticate the sender to the recipient. If the sender wants for the recipient to acknowledge receipt of the message and authenticate themselves to the sender, the recipient must return a signed receipt (most S/MIME compliant E-mail clients have the ability to do that).

Digital Signatures are used in Digital Certificates to insure than nothing in the certificate can be changed without detection, and to let everyone know for certain that the certificate was issued by the CA shown in the Issuer Distinguished Name.

You can affix a Digital Signature to any digital document or file to detect changes and to establish who signed it. This includes PDF files, drawings, MS Office documents, etc. You can even digitally sign binary files, like images or digitized music. Not all applications support adding or verifying a Digital Signature, but you can create a signed document that include any of these, for example an S/MIME email with attachments. MS Office allows affixing and validating Digital Signatures in any Office document. Adobe supports adding digital signatures to a PDF document and validating them.

From here, proceed to Digital Envelope.