A digital signature provides authentication of the sender, integrity of the document, and non-repudiation by using public key cryptography. It consists of a signing process, where the document is hashed and the hash is encrypted with the private key and attached to the original document. In verification, the signature is decrypted with the public key and compared to a newly generated hash of the document to validate authenticity. Digital signatures are commonly used for legally binding electronic documents and communications to establish trust between parties.
1. DIGITAL SIGNATURE
A digital signature is an electronic signature that can be usedto authenticate the identity of the sender of a
message or thesigner of a document, and possibly to ensure that the originalcontent of the message or
document that has been sent isunchanged.
Why use certificate signatures?
Many business transactions, including financial, legal, and other regulated transactions, require high
assurance when signing documents. When documents are distributed electronically, it is important that
recipients can:
Verify document authenticity – confirming the identity of each person who signed the document
Verify document integrity – confirming that the document has not been altered in transit
Certificate-based signatures provide both of these security services. Many businesses and governments
have chosen to set up a certificate-based digital signature infrastructure within their organization – using
third party certificate authorities to provide independent identity validation. Examples include:
Pharmaceutical companies who need to use signatures that comply with the SAFE (Signatures &
Authentication For Everyone) BioPharma industry standard
Companies in the European Union who need to comply with the ETSI PAdES standard (PDF
Advanced Electronic Signatures)
Other reasons why more and more organizations choose to use this type of digital signatures include:
1. Saving money. The electronic signing method eliminates the cost of paper, printing, and courier
services.
2. Document integrity. Organizations that publish/release any kind of PDF material on the internet
can now be assured that the PDF documents will not be modified in any way to alter the
organization’s brand or credibility.
3. Work efficiency. Handling a document electronically (clicking a button or entering a password)
is way faster than circulating it through interoffice mail or courier.
A digital signature scheme typically consists of three algorithms:
* A key generation algorithm that selects a private keyuniformly at random from a set of possible private
keys.The algorithm outputs the private key and a corresponding public key.
* A signing algorithm that, given a message and a privatekey, produces a signature.
* A signature verifying algorithm that, given a message,public key and a signature, either accepts or
rejects themessage's claim to authenticity.
2. Two main properties are required:
1. a signature generated from a fixed message and fixed privatekey should verify the authenticity of that
message by using thecorresponding public key.
2. it should be computationally infeasible to generate a validsignature for a party who does not possess the
private key.
HOW DIGITAL SIGNATURE WORKS:
There are two processes in digital signatures:
1. signing process - In this process, data is convertedinto hash by using hash function then this hash
isencrypted by using signer's private key and then this isattached to the data and send.
2.verification - In this process, digital signature areverified. First, digitally signed data is split into dataand
signature. then data is converted into hash andsimultaneously signature isdecrypted using signer's
publickey. if both hash are same then the digital signatures areverified.
Below are some common reasons for applying a digital signature tocommunications:
3. 1. Authentication
Digital signatures can be used to authenticate the source ofmessages.
When ownership of a digital signature secret key is bound to aspecific user, a valid signature
shows that the message was sentby that user.
The importance of high confidence in sender authenticity isespecially obvious in a financial
context.
For example, suppose a bank's branch office sends instructions tothe central office requesting a
change in the balance of anaccount.
If the central office is not convinced that such a message istruly sent from an authorized source,
acting on such a requestcould be a grave mistake.
2. Integrity
In many scenarios, the sender and receiver of a message may havea need for confidence that the
message has not been alteredduring transmission.
Although encryption hides the contents of a message, it may bepossible to change an encrypted
message without understanding it.
However, if a message is digitally signed, any change in themessage after signature will
invalidate the signature.
Furthermore, there is no efficient way to modify a message andits signature to produce a new
message with a valid signature,because this is still considered to be computationally infeasibleby
most cryptographic hash functions.
3.Non-repudiation
Non-repudiation, or more specifically non-repudiation of origin,is an important aspect of digital
signatures.
By this property an entity that has signed some informationcannot at a later time deny having
signed it.
Similarly, access to the public key only does not enable afraudulent party to fake a valid
signature.
This is in contrast to symmetric systems, where both sender andreceiver share the same secret
key,and thus in a dispute a third party cannot determine which entitywas the true source of the
information
The components that a digital signature comprise of.
1. Your public key: This is the part that any one can get a copy of and is part of the
verification system.
2. Your name and e-mail address: This is necessary for contact information purposes and
to enable the viewer to identify the details.
4. 3. Expiration date of the public key: This part of the signature is used to set a shelf life
and to ensure that in the event of prolonged abuse of a signature eventually the signature
is reset.
4. Name of the company: This section identifies the company that the signature belongs
too.
5. Serial number of the Digital ID: This part is a unique number that is bundled to the
signature for tracking ad extra identification reasons.
6. Digital signature of the CA (certification Authority): This is a signature that is issued
by the authority that issues the certificates.
Figure A
User A is depicted above and has two keys a public key, this key is available to the public for
download, and a private key, this key is not available to the public. All keys are used to lock the
information in an encrypted mode. The same keys are required to decrypt the data.
Another user can encrypt the data using users A’s Public Key. User A will use the Private Key to
decrypt the message. Without user A’s Private Key the data can not be decrypted. Figure B
below depicts the encryption method and decryption method and witch keys are used.
Figure B
5. Digital signature can be used to make document e-mails and other data private. Big brother is
out there and choosing a high encryption mechanism ensures that any one attempting to decrypt
the data would find it unviable to attempt decryption.
User A’s machine digests the data into a simple string of code after user A’s software has
encrypted the message digest with his private key. The result is the digital signature. User A’s
software then appends the digital signature to document. All of the data that was hashed has been
signed. User A then passes the digitally signed document to user B.
First user B’s software decrypts the signature, using User A’s public key then changing it back
into a message digest. After the decryption if it has decrypted the data to digest level then
verifies that user A in fact did sign the data. To stop fraud certificate authorities have been
introduced. Certificate authorities can sign User A’s public key, ensuring that no one else uses
Bobs information or impersonated his key.
If a user is uncertain of the digital signature it is possible to verify the digital signature with the
certificate authority. Signatures can also be revoked if they are abused or if it is suspected that
they are abused. When a digital signature is compromised the user that suspects that the
certificate is compromised should report the incident to the certificate authority.