Understanding Digital Signatures

The purpose of digital or electronic signatures is the same as pen-and-ink signatures, but how you sign digitally is completely different. Unlike pen-and-ink signatures, your digital signature depends on the message you are signing. The first step is to apply a mathematical function on the message and reduce it to a fixed-size message digest (also called hash).

No matter how big your message is, the message digest is always around 128 or 160 bits, depending on the hashing function.

The next step is to apply public key encryption. Simply encrypt the message digest with your private key, and you get the digital signature for the message. Typically, the digital signature is appended to the end of the message and you've got an electronically signed message.

What good does the digital signature do? Well, anyone who wants to verify that the message is indeed signed by you takes your public key and decrypts the digital signature. What they get is the message digest of the message. Then, they apply the same hash function to the message and compare the computer's hash with the decrypted value. If the two match, no one has tampered with the message. Because your public key was used to verify the signature, the message must have been signed with the private key known only to you. So the message must be from you!

In the theoretical scenario of Alice sending private messages to Bob, Alice can digitally sign her message to make sure that Bob can tell that the message is really from her. Figure 22-4 illustrates the use of digital signature along with normal public-key encryption.

Bob's public key

Bob's public key

Alice

Bob's private key Alice's public key \

Verify message digest

Alice encrypts the message using Bob's public key and appends digital signature encrypted with her private key

Bob's private key Alice's public key \

Verify message digest

Alice

Alice encrypts the message using Bob's public key and appends digital signature encrypted with her private key

Bob decrypts the message using his private key and decrypts the signature using Alice's public key; then verifies the message digest

Figure 22-4: Alice Can Digitally Sign Her Message So That Bob Can Tell It's Really from Her.

Here's how Alice sends her private message to Bob with the assurance that Bob can really tell it's from her:

1. Alice uses some software to compute the message digest of the message and then encrypts the digest using her private key. This is her digital signature for the message.

2. Alice encrypts (again, using some convenient software) the message using Bob's public key.

3. She sends both the encrypted message and the digital signature to Bob.

 4. Bob decrypts the messages using his private key. 5. Bob decrypts the digital signature using Alice's public key. This gives him the message digest. 6. Bob computes the message digest of the message and compares the result with what he got by decrypting the digital signature. 7. If the two message digests match, Bob can be sure that the message really came from Alice.