Menu

Understanding Digital Signatures

A digital signature can be considered as a digital equivalent to a physical signature. Digital signatures can be used to verify that an email message is really from the person who supposedly sent it and that it hasn’t been changed on the way from the sender to the recipient. In the computer security field, the above two scenarios are known as authentication and integrity.

 

What is a digital signature?

A digital signature is a sequence of letters and numbers. You may have received email that have a block of letters and numbers at the bottom of the message or a statement in the message that goes as “This message includes a valid signature” with a symbol of a small envelop. To generate a digital signature, a mathematical algorithm is used to combine the information in a key with the information in the message. Therefore, a unique signature is generated per message. The result is a random-looking string of letters and numbers that is sent with the corresponding message.

Why do you need a digital signature?

You need a digital signature because, it is so easy for attackers and viruses to “spoof” email addresses and it is sometimes difficult to identify legitimate messages. Authenticity may be especially important for business correspondence: if you are relying on someone to provide or verify information, you want to be sure that the information comes from the correct source. A signed message also indicates that changes have not been made to the content ever since it was sent as any changes would cause the signature to be invalid.

Some useful terms

Before you can understand how a digital signature works, there are some terms you should know:

Keys – Keys are used to create digital signatures. This is similar to a physical key that we use to lock/unlock things. For every digital signature, there is a public key and a private key.

Private key – The private key is the portion of the key you use to actually sign an email message. The private key is protected by a password, and you should never give your private key to anyone.

Public key – The public key is the portion of the key that is available to other people. Whether you upload it to a public key ring or send it to someone, this is the key other people can use to check your signature. A list of other people who have signed your key is also included with your public key. You will only be able to see their identities if you already have their public keys on your key ring.

Key ring – A key ring contains public keys. You have a key ring that contains the keys of people who have sent you their keys or whose keys you have gotten from a public key server. A public key server contains keys of people who have chosen to upload their keys.

Fingerprint – When confirming a key, you will actually be confirming the unique series of letters and numbers that comprise the fingerprint of the key. The fingerprint is a different series of letters and numbers than the chunk of information that appears at the bottom of a signed email message.

Key certificates – When you select a key on a key ring, you will usually see the key certificate, which contains information about the key, such as the key owner, the date the key was created, and the date the key will expire.

Trusted Third Party – TTP is an entity which facilitates interactions between three parties where both the first two parties trust the third party.

Certificate Authority – A certificate authority (CA) is a body that issues and manages security credentials and public keys for the use of other parties. It is an example of a trusted third party. As part of a public key infrastructure (PKI), a CA checks with a Registration Authority (RA) to verify information provided by the requester of a digital certificate. If the RA verifies the requester’s information, the CA can then issue a certificate.

Web of trust – When someone signs your key, they are confirming that the key actually belongs to you. The more signatures you collect, the stronger your key becomes. If someone sees that your key has been signed by other people that he or she trusts, he or she is more inclined to trust your key. Note: Just because someone else has trusted a key or you find it on a public key ring does not mean you should automatically trust it. You should always verify the fingerprint yourself.

How does it work?

The  process  for  creating,  obtaining,  and  using  keys  is  fairly straightforward:

  1. Generate a key pair using software such as PGP, which stands for Pretty Good Privacy, or GnuPG, which stands for GNU Privacy Guard.  If you are directly requesting a digital certificate from a Registration Authority, your key pair will be generated by the web browser you use.
  2. Increase the authenticity of your key by having your key signed by a Certificate Authority (CA).  In the process of signing your key, CA will confirm that the fingerprint on the key you sent them belongs to you.  By doing this, the CA verifies your identity and indicates trust in your key.
  3. Digitally sign your outgoing email messages.  Most email clients have a feature to easily add your digital signature to your message.

There is a variety of mechanisms for creating digital signatures, and these mechanisms may operate differently. For example, S/MIME does not add a visible block of letters and numbers within the message, and its digital signatures are verified indirectly using a certificate authority instead of directly dealing with other users in a web of trust. You may just see an icon or note on the message that the signature has been verified. If you get an error about a digital signature, try to contact the sender through a phone call or a separate email address that you know is valid to verify the authenticity of the message.

 

References:

1. Understanding Digital Signatures – http://www.us-cert.gov/cas/tips/ST04-018.html

2. Certificate authority – http://en.wikipedia.org/wiki/Certificate_authority

Facebook Comments