Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates
Digital Signatures and Certificates To prove that an electronic message is genuine, a sender can digitally sign the message. This means it can be detected if the message has been tampered with and the signature is proof that it has been sent by the correct person. Digital signatures use asymmetric encryption. The process to send a message is as follows:
A digest (also known as a hash) is produced from the message using a hash function. The digest is a much reduced version of the original message (it is not possible to change a message digest back into the original message from which it was created). Message 010010100010 110100101010 Digest Hash Function
The digest is then encrypted using the sender’s private key The digest is then encrypted using the sender’s private key. The sender’s private key must be used instead of the receiver’s public key to prove it has been encrypted by the sender. The encrypted digest result is the digital signature. 1111001010010 1001010001010 Encrypted Digest (Digital Signature) Encrypt using sender’s private key Digest 010010100010 110100101010
The encrypted digest (digital signature) is then appended to the original message. 1111001010010 1001010001010 Digital Signature Appended with
Encrypt using receiver’s public key The message and digital signature are then encrypted using the receiver’s public key. The receiver’s public key must be used here so that only the receiver can decrypt the message with the private key. Message 1111001010010 1001010001010 0010101000110 0001010010011 0101000100101 0101010100111 1101001100000 Encrypted Message Encrypt using receiver’s public key
The encrypted message is then sent by electronic mail. 0010101000110 0001010010011 0101000100101 0101010100111 1101001100000 Encrypted Message Send by e-mail
Digital Signatures and Certificates The process to verify that a message is genuine is as follows:
Decrypt using receiver’s private key The message and signature are decrypted using the receiver’s private key. Message 1111001010010 1001010001010 1111001010010 1001010001010 1101001001011 1111110100100 Encrypted Message Decrypt using receiver’s private key
Separate Digital Signature The decrypted message is then separated into the original message and digital signature. Message 1111001010010 1001010001010 Digital Signature Separate Digital Signature 1111001010010 1001010001010
The digital signature (encrypted digest) is then decrypted using the sender’s public key. This proves it has been sent by the person who owns the private key. Digital Signature (Encrypted Digest) 1111001010010 1001010001010 Decrypt using sender’s public key 010010100010 110100101010 Decrypted Digest
A new digest is produced from the original message using the same hash function as the original digest. Message Hash Function 010010100010 110100101010 New Digest
The decrypted digest is then compared to the new digest The decrypted digest is then compared to the new digest. If the decrypted digest is the same as the new digest then the message has not been tampered with. 010010100010 110100101010 Decrypted Digest 010010100010 110100101010 New Digest
Digital Signatures and Certificates Although this process sounds complicated it is all handled by the signing software so the messages can be signed and received using a simple click.
Digital Signatures and Certificates A digital certificate is issued by a certification authority. It contains your name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Digital certificates can be kept in registries so that authenticating users can look up other users' public keys.