Library
Back to reading

5.11.6 What Is a Digital Signature and How Does It Work?

  1. What Is a Digital Signature?
  2. Why Isn't a Digital Signature Just an Electronic Signature?
  3. Why Are Digital Signatures Needed?
  4. What Security Services Do Digital Signatures Provide?
  5. Do Digital Signatures Provide Confidentiality?
  6. How Does a Digital Signature Work?
  7. Why Is a Hash Function Used?
  8. What Is a Message Digest?
  9. Which Keys Are Used?
  10. How Does the Recipient Verify a Signature?
  11. What Is a Digital Certificate?
  12. What Is a Certificate Authority?
  13. Where Are Digital Signatures Used?
  14. Can Digital Signatures Be Forged?
  15. Will Quantum Computers Affect Digital Signatures?
  16. Why Are Digital Signatures Important?

Description

Explore how digital signatures verify identity and protect message integrity. Learn why digital signatures differ from encryption, how cryptographic hash functions are used, and how certificates enable trusted electronic transactions.

Introduction

In everyday life, handwritten signatures have long been used to identify the author of a document and to indicate approval of its contents. A signed contract, cheque, or legal document provides evidence of who signed it and demonstrates that the signer intended to approve the document.

As communication has become increasingly digital, handwritten signatures are often no longer practical. Electronic documents, email, software updates, online financial transactions, and Internet commerce require a reliable means of proving who created a document and whether it has been altered since it was signed.

The solution is the digital signature. Despite its name, a digital signature is not simply an electronic image of a handwritten signature. Instead, it is a mathematical mechanism that uses public-key cryptography and cryptographic hash functions to provide authentication, integrity, and non-repudiation.

Today, digital signatures are fundamental to secure communications. They protect software updates, verify websites, authenticate electronic documents, and enable trusted online transactions throughout the world.

What Is a Digital Signature?

A digital signature is a cryptographic technique that enables the recipient of a message or document to verify:

Unlike encryption, whose purpose is to keep information secret, a digital signature proves the authenticity of the information.

A digitally signed document may be completely unencrypted while still providing strong assurance that it originated from the claimed sender.

Why Isn't a Digital Signature Just an Electronic Signature?

People often confuse digital signatures with electronic signatures.

An electronic signature is simply any electronic indication that a person agrees with a document. Examples include:

These methods provide little technical protection against forgery.

A digital signature, on the other hand, is produced using cryptographic algorithms and provides mathematically verifiable evidence of authenticity and integrity.

Why Are Digital Signatures Needed?

Suppose Alice sends Bob an electronic contract.

Even if the contract is encrypted, Bob still cannot answer several important questions.

Digital signatures answer all of these questions.

They provide trust between parties who may never have met.

What Security Services Do Digital Signatures Provide?

Digital signatures provide three important security services.

Do Digital Signatures Provide Confidentiality?

No.

This is one of the most common misconceptions. A digital signature does not hide the contents of a message. Anyone may read a digitally signed document unless it has also been encrypted. Encryption and digital signatures therefore perform different functions. Encryption provide confidentiality. Digital signatures provide: authentication, integrity, and non-repudiation

Many secure communication systems employ both simultaneously.

How Does a Digital Signature Work?

The process involves several steps.

First, the sender prepares the document. Next, a cryptographic hash function calculates a short message digest representing the document. The sender then encrypts this digest using their private key. The encrypted digest forms the digital signature. The signature is transmitted together with the original document. The recipient independently calculates the document hash and compares it with the decrypted signature.

If both values match, the signature is valid.

Why Is a Hash Function Used?

Modern documents may contain millions of bytes.

Encrypting an entire document with a public-key algorithm would be unnecessarily slow. Instead, only the hash value is signed. A cryptographic hash function produces a fixed-length fingerprint of the document. Important properties include:

Signing the hash rather than the complete document greatly improves efficiency.

What Is a Message Digest?

The output of a cryptographic hash function is called a message digest.

It acts rather like a digital fingerprint. Although the digest may contain only a few hundred bits, it uniquely represents documents that may be many gigabytes in length. Modern hash algorithms include:

These algorithms are widely used in digital-signature systems.

Which Keys Are Used?

Digital signatures use the opposite key arrangement to encryption.

For confidentiality:

For digital signatures:

Because only the legitimate owner possesses the private key, successful verification demonstrates the origin of the signature.

How Does the Recipient Verify a Signature?

The recipient performs three steps.

First, the document hash is calculated independently. Second, the sender's public key decrypts the received signature. Finally, the two hash values are compared. If they match:

If they differ, either the document has changed or the signature is invalid.

What Is a Digital Certificate?

Suppose an attacker creates a fake public key and claims it belongs to Alice.

How can Bob know which key is genuine? The answer is a digital certificate, which links a person's identity with a public key.

Certificates are issued by trusted organizations called Certificate Authorities (CAs).

Before accepting a digital signature, software normally verifies the accompanying certificate.

What Is a Certificate Authority?

A Certificate Authority is a trusted organization responsible for confirming identities and issuing digital certificates.

Web browsers and operating systems contain lists of trusted certificate authorities. When visiting a secure website, the browser verifies the site's certificate before establishing an encrypted connection.

This process prevents attackers from impersonating legitimate organizations.

Where Are Digital Signatures Used?

Digital signatures appear throughout modern computing.

Applications include:

Every time a smartphone installs a software update, it normally verifies a digital signature before allowing installation.

Can Digital Signatures Be Forged?

A properly implemented digital-signature system is extremely difficult to forge.

An attacker would need to:

For modern public-key algorithms using appropriate key lengths, neither approach is currently practical.

However, poor implementation or inadequate protection of private keys can compromise security.

Will Quantum Computers Affect Digital Signatures?

Yes.

Many current digital-signature systems rely upon RSA or elliptic-curve cryptography. Large-scale quantum computers could potentially break these algorithms using Shor's algorithm.

As a result, researchers are developing post-quantum digital-signature algorithms that are believed to remain secure against both classical and quantum attacks.

Several of these algorithms have recently been standardized by NIST.

Why Are Digital Signatures Important?

Digital signatures provide the trust that modern electronic communications require. They allow people and organizations to verify identities, detect unauthorized modifications, and prove authorship without relying upon physical documents or handwritten signatures.

Without digital signatures, secure electronic commerce, software distribution, electronic government services, and many Internet security protocols would not be practical.

Summary

A digital signature is a cryptographic mechanism that provides authentication, integrity, and non-repudiation. Rather than encrypting the entire document, the sender signs a cryptographic hash using a private key, and the recipient verifies the signature using the corresponding public key.

Digital signatures differ fundamentally from encryption. Encryption protects confidentiality, while digital signatures verify identity and ensure that information has not been altered. Together with digital certificates and public-key infrastructures, they form one of the essential foundations of modern secure communications.

Back to reading

Return to Chapter 5 FAQ 5.11.6