 Bob |  |  (Bob's public key)  (Bob's private key) |
| Bob's Co-workers: | ||||
 |  |  | | Anyone can get Bob's Public Key, but Bob keeps his Private Key to himself |
| Pat | Doug | Susan | ||
Susan (shown below) can encrypt a message using Bob's Public Key. Bob uses his Private Key to decrypt the message. Any of Bob's coworkers might have access to the message Susan encrypted, but without Bob's Private Key, the data is worthless.
| | "Hey Bob, how about lunch at Taco Bell. I hear they have free refills!" |  | HNFmsEm6Un BejhhyCGKOK JUxhiygSBCEiC 0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A |
| | HNFmsEm6Un BejhhyCGKOK JUxhiygSBCEiC 0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A |  | "Hey Bob, how about lunch at Taco Bell. I hear they have free refills!" |
 |  |  |
| To sign a document, Bob's software will crunch down the data into just a few lines by a process called "hashing". These few lines are called a message digest. (It is not possible to change a message digest back into the original data from which it was created.) |
|  |  |
|  |  |
| | |
 | |
| First, Pat's software decrypts the signature (using Bob's public key) changing it back into a message digest. If this worked, then it proves that Bob signed the document, because only Bob has his private key. Pat's software then hashes the document data into a message digest. If the message digest is the same as the message digest created when the signature was decrypted, then Pat knows that the signed data has not been changed. |
| Doug (our disgruntled employee) wishes to deceive Pat. Doug makes sure that Pat receives a signed message and a public key that appears to belong to Bob. Unbeknownst to Pat, Doug deceitfully sent a key pair he created using Bob's name. Short of receiving Bob's public key from him in person, how can Pat be sure that Bob's public key is authentic? |
It just so happens that Susan works at the company's certificate authority center. Susan can create a digital certificate for Bob simply by signing Bob's public key as well as some information about Bob.
 |
Let's say that Bob sends a signed document to Pat. To verify the signature on the document, Pat's software first uses Susan's (the certificate authority's) public key to check the signature on Bob's certificate. Successful de-encryption of the certificate proves that Susan created it. After the certificate is de-encrypted, Pat's software can check if Bob is in good standing with the certificate authority and that all of the certificate information concerning Bob's identity has not been altered.
Pat's software then takes Bob's public key from the certificate and uses it to check Bob's signature. If Bob's public key de-encrypts the signature successfully, then Pat is assured that the signature was created using Bob's private key, for Susan has certified the matching public key. And of course, if the signature is valid, then we know that Doug didn't try to change the signed content.
Another Description:
A digital signature (not to be confused with a digital certificate) is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and possibly to ensure that the original content of the message or document that has been sent is unchanged. Digital signatures are easily transportable, cannot be imitated by someone else, and can be automatically time-stamped. The ability to ensure that the original signed message arrived means that the sender cannot easily repudiate it later.
A digital signature can be used with any kind of message, whether it is
How It Works
Assume you were going to send the draft of a contract to your lawyer in another town. You want to give your lawyer the assurance that it was unchanged from what you sent and that it is really from you.- You copy-and-paste the contract (it's a short one!) into an e-mail note.
- Using special software, you obtain a message hash (mathematical summary) of the contract.
- You then use a private key that you have previously obtained from a public-private key authority to encrypt the hash.
- The encrypted hash becomes your digital signature of the message. (Note that it will be different each time you send a message.)
- To make sure it's intact and from you, your lawyer makes a hash of the received message.
- Your lawyer then uses your public key to decrypt the message hash or summary.
- If the hashes match, the received message is valid.
Digital signatures are generated through DSA, as well as verified. Signatures are generated in conjunction with the use of a private key; verification takes place in reference to a corresponding public key. Each signatory has their own paired public (assumed to be known to the general public) and private (known only to the user) keys. Because a signature can only be generated by an authorized person using their private key, the corresponding public key can be used by anyone to verify the signature.
Certificate Authority
A Certificate Authority (CA) is a third party which verifies the identity of merchants and their sites. The certificate authority issues a certificate (also called a digital certificate or an authentication certificate) to an applicant company, which can then put the certificate up on its site.
Digital Certificate
A Digital Certificate issued by a Certificate Authority certifies that a merchant and a particular website are connected, just as a photo on your driver's licence connects your identity with your personal details. A digital certificate verifies to the shopper that the virtual store is actually associated with a physical address and phone number which can increase the shoppers confidence in the authenticity of the merchant.
Self Signed Certificate
A self-signed certificate is digital certificate that is signed by its own creator. That is, the person that created the certificate also signed off on its legitimacy.
In typical public key infrastructure arrangements, that a particular public key certificate is valid (i.e., contains correct information) is attested by a digital signature from a certificate authority (CA).
Public key encryption:
Public key encryption uses a combination of a private key and a public key. The private key is known only to your computer while the public key is given by your computer to any computer that wants to communicate securely with it. To decode an encrypted message, a computer must use the public key provided by the originating computer and it's own private key.
- The key is based on a hash value. This is a value that is computed from a base input number using a hashing algorithm. The important thing about a hash value is that it is nearly impossible to derive the original input number without knowing the data used to create the hash value. Here's a simple example:
You can see how hard it would be to determine that the value of 1525381 came from the multiplication of 10667 and 143. But if you knew that the multiplier was 143, then it would be very easy to calculate the value of 10667. Public key encryption is much more complex than this example but that is the basic idea. Public keys generally use complex algorithms and very large hash values for encrypting: 40-bit or even 128-bit numbers. A 128-bit number has a possible 2128 different combinations. That's as many combinations as there are water molecules in 2.7 million olympic size swimming pools. Even the tiniest water droplet you can image has billions and billions of water molecules in it! - Digital certificates - To implement public key encryption on a large scale, such as a secure Web server might need, requires a different approach. This is where digital certificates come in. A digital certificate is essentially a bit of information that says the Web server is trusted by an independent source known as a Certificate Authority. The Certificate Authority acts as the middleman that both computers trust. It confirms that each computer is in fact who they say they are and then provides the public keys of each computer to the other.
3 comments:
One difficulty with traditional PKI systems in general, and specifically Digital Signature systems is that they are rather complex to set up and maintain, not to mention difficult for the users to use.
ARX Inc. (www.arx.com) produces a very nice standard Digital Signature solution called CoSign. The product centrally manages all the Digital Signature keys, certificates, and even graphical signatures for all the users (signers), which makes the deployment, management, and usage of the Digital Signature system a lot easier than the traditional approach.
So can we create a test certificate by using their tools?
Its truly the best explanation I read so far that completely defines what a digital signature is. I will surely recommend all my friends to do visit your blog to read this article.
electronic signature
Post a Comment