Hashing can show that data has not changed in transmission, but on its own cannot demonstrate that the data originated with its supposed author. To do that, a digital signature should be used.
Digital signatures use the sender’s private key to encrypt the hash. Previously, you learned how documents can be encrypted with a public key which can be used by anyone, but can only be decrypted using the corresponding private key known only to the owner.
Encrypting data using the private key isn’t suitable for securing secrets (as anyone with access to the public key could decrypt it). However, it is perfectly possible to encrypt a hash using the private key so that the hash can be decrypted and compared by anyone possessing the matching public key. This can be used to provide authenticity since the encrypted hash must have been produced by the holder of the private key – hence the name digital signature.
Case study: Alice and Bob
Imagine that Alice wants to send the company’s quarterly profit statement to Bob, who works in the financial markets, for public announcement. Both Alice and Bob want confidence that the quarterly profit statement has not been intercepted by Eve en route and altered.
Alice will therefore produce a hash of the quarterly profit statement and then encrypt this with her private key to produce a digital signature. Alice will then include the digital signature with the quarterly profit statement and send this to Bob, (depending on any time-bound sensitivities she may or may not encrypt this with Bob’s public key).
Upon receipt Bob will decrypt the digital signature using Alice’s corresponding public key to reveal the hash, (again depending on any time-bound sensitivities he may initially decrypt the entire message using his private key). Bob will then calculate a hash of the quarterly profit statement and then compare this with the encrypted hash that he received from Alice. If the hashes are the same then both Bob and Alice can be confident that the quarterly profit statement was not altered en route by Eve.
Digital signatures do not provide us with complete confidence of the author or originator. Just because a digitally signed document claims to come from a person or a company it doesn’t mean that it actually did, a malicious individual could masquerade as the sender by producing their own public/private key pair and using these to produce digital signatures.
Case study: Alice and Bob
Imagine that a digitally signed business invoice arrives in Alice’s mailbox from Bob. She uses Bob’s public key from a public key server to decrypt the digital signature and validate the business invoice by comparing the hashes. Alice, assuring herself that it is Bob (as the hashes are the same), follows the instructions and transfers money to the account details in the business invoice.
A few weeks later, Alice receives an angry email from Bob because he has not been paid. After a bank investigation she finds out that she had transferred the money to Eve by mistake – so what went wrong?
It’s clear that the business invoice and the associated signature did not come from Bob, instead the signed business invoice actually came from Eve. Eve used Bob’s personal information to create a new key pair in Bob’s name and placed a copy of the public key on a public key server. Eve then used her corresponding private key to sign the business invoice and send it to Alice.
Alice, convinced that the document was a genuine business invoice from Bob (as it included what she believed to be his digital signature), followed the instructions and paid money into an account belonging to Eve – oh dear!
Digital certificates help us overcome this problem. A digital certificate is a means of binding public keys to their owner. These are issued by Certificate Authorities (CAs) who validate the owners of public keys. The CA does this by validating (through various processes), the identity of the owner of the public key. Once it has done this it will bind the public key to a digital certificate and sign it using its private key to attest authenticity. The CA’s public key is available to all parties who need to validate the CA’s assertion of public key ownership.
Case study: Alice and Bob
So, this prevents Eve from creating a key pair of her own, and claiming that the corresponding public key is Bob’s. If Eve were to now send a business invoice appearing to be signed by Bob, when Alice uses Bob’s validated public key to try and decrypt the hash and compare them, this will not work; she would know that something was wrong, and (hopefully), not transfer money to Eve.
https://www.futurelearn.com/courses/introduction-to-cyber-security/8/steps/83113
© The Open University
I'm happy to see the considerable subtle element here!. valentines day gift birth certificates for sale
ReplyDeleteI read a article under the same title some time ago, but this articles quality is much, much better. How you do this.. legit passports for sale
ReplyDeleteThanks for sharing. I would like to share my thoughts on digital signature certificate. digital signature certificate uses a Public Key Technology, meaning data that is digitally signed or authenticated by a private key can only be decrypted by the corresponding public key.
ReplyDeleteExcellent Blog. I can configure my new idea from this post. Detailed information is given. Thank you all for this valuable information Digital Signature
ReplyDeleteGet the class 3 progressed engrave affirmation and give your business the force it merits. Visit Vakilsearch site to get Class 3 digital signature
ReplyDeleteVery useful content, Reach out for class 3 digital signature by visiting on the following link class 3 digital signature
ReplyDeleteGratitude for sharing, Contact Vakilsearch to get Digital Signature Certificate
ReplyDeleteDigital signatures have really improved the security level of Signing to make the documents secure. Any kind of temperament with digital signature is really not easy.
ReplyDeleteVery nice blog post , thank you for sharing great experience.
ReplyDeletemanage your document click here.
Digital Signature Software in Gurgaon
Your Blog was Very Helpful to Corporate Business
ReplyDeleteBulk Digital Signature Solution
PDF Digital Signature
nice blog i like it PDF Signer software Bulk PDF Signer
ReplyDeleteA digital signature certificate is a document that contains a digital signature that can be used to authenticate the identity of the certificate holder. Thank you for the valuable blog. It is very helpful. To know more visit: Digital Signature
ReplyDeleteNice information about cryptography
ReplyDeleteClick here to get a digital signature that will authenticate your identity on various online portal and submit your documents securely and successfully.