Digital signature: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Sandy Harris
No edit summary
imported>Sandy Harris
No edit summary
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{subpages}}
{{subpages}}
{{TOC-right}}
{{TOC|right}}
'''Digital signatures''' provide [[information security#source authentication|source authentication]] for online documents, messages or records, in a manner analogous to what a signature provides for a paper document.
'''Digital signatures''' provide [[information security#source authentication|source authentication]] for online documents, messages or records, in a manner analogous to what a signature provides for a paper document.


Line 8: Line 8:
* calculate a hash or [[message digest]] from the message
* calculate a hash or [[message digest]] from the message
* encrypt that hash with the sender's private key
* encrypt that hash with the sender's private key
* append the encrypted hash to the message as a signature
* combine the encrypted hash with information identifying the signer
* append the combination to the message as a signature
Steps for the receiver are:
Steps for the receiver are:
* obtain the sender's public key and verify its validity
* obtain the sender's public key and authenticate its integrity and source
* decrypt the signature, using the sender's public key, to get the hash value; call it H<sub>1</sub>
* decrypt the signature, using the sender's public key, to get the hash value; call it H<sub>1</sub>
* hash the message body yourself to get another hash value, H<sub>2</sub>
* hash the message body yourself to get another hash value, H<sub>2</sub>
* compare  H<sub>1</sub> and  H<sub>2</sub>
* compare  H<sub>1</sub> and  H<sub>2</sub>
* if they are identical, then you know with overwhelming probability:
* if they are identical, then you know with overwhelming probability (though not with absolute certainty):
** the documents signed (hash H1) and the document received (hash H2) are identical (from properties of a [[cryptographic hash]])
** the documents signed (hash H<sub>1</sub>) and the document received (hash H<sub>2</sub>) are identical (from properties of a [[cryptographic hash]])
** whoever generated the signature knew the signer's private key  (which only he should know in a [[public key]] system)  
** whoever generated the signature knew the signer's private key  (which only the signer should know in a [[public key]] system)  
* so you can accept the signature as valid
* so you can accept the signature as valid
If both the [[hash (cryptography) | hash]] and the [[public key]] system used are secure, and no-one except the sender knows his private key, then the signatures are trustworthy.
If both the [[hash (cryptography) | hash]] and the [[public key]] system used are secure, and no-one except the sender knows his private key, then the signatures are trustworthy.
The use of digital signatures raises legal issues. There is an online reference <ref>Digital Signature Law Survey https://dsls.rechten.uvt.nl/</ref> for laws around the world.
==References==
{{Reflist|2}}

Latest revision as of 23:44, 7 December 2010

This article is a stub and thus not approved.
Main Article
Discussion
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
This editable Main Article is under development and subject to a disclaimer.

Digital signatures provide source authentication for online documents, messages or records, in a manner analogous to what a signature provides for a paper document.

Two cryptographic techniques are used together to produce a digital signature, a cryptographic hash and a public key cryptosystem.

The steps for the sender are as follows:

  • calculate a hash or message digest from the message
  • encrypt that hash with the sender's private key
  • combine the encrypted hash with information identifying the signer
  • append the combination to the message as a signature

Steps for the receiver are:

  • obtain the sender's public key and authenticate its integrity and source
  • decrypt the signature, using the sender's public key, to get the hash value; call it H1
  • hash the message body yourself to get another hash value, H2
  • compare H1 and H2
  • if they are identical, then you know with overwhelming probability (though not with absolute certainty):
    • the documents signed (hash H1) and the document received (hash H2) are identical (from properties of a cryptographic hash)
    • whoever generated the signature knew the signer's private key (which only the signer should know in a public key system)
  • so you can accept the signature as valid

If both the hash and the public key system used are secure, and no-one except the sender knows his private key, then the signatures are trustworthy.

The use of digital signatures raises legal issues. There is an online reference [1] for laws around the world.

References

  1. Digital Signature Law Survey https://dsls.rechten.uvt.nl/