In paper-based communications, a signed document is notarized with a seal
and a signature. With an electronic communication, a document is signed using a
digital signature. A digital signature, or digital certificate, is an encrypted
hash that is appended to a document. It can be used to confirm the identity of
the sender and the integrity of the document.
Digital signatures are
based on a combination of public key encryption and secure one-way hash
function algorithms. A digital certificate contains information to identify a
user or device, such as the name, serial number, company, department or IP
address
. It also
contains a copy of the entity’s public key
. A
Certificate Authority (CA) signs the certificate. The CA is a third party that
is explicitly trusted by the receiver to validate identities and to create
digital certificates
.
To
validate the CA’s signature, the receiver must first know the CA’s public key.
Normally this is handled out of band or through an operation done at
installation. For instance, most web browsers are configured with the public
keys of several CA’s by default.
In the example in Figure
, the sender
derives a hash and encrypts it with its private key. The encrypted hash, which
is a digital signature, is attached to the message and forwarded to the remote
end. At the receiver end, the encrypted hash is decrypted using the public key
of the sender. If the decrypted hash matches the recomputed hash, the signature
is genuine. A digital signature ties a message to a sender. The sender is
authenticated. The process is summarized as follows:
- At the transmitting end, the private key generated by the sender is used to
encrypt the hash.
- At the receiving end:
- The hash is produced by running the original message through a hash
algorithm.
- The hash that was appended to the original message is decrypted using the
public key from the sender.
- If the hashes match, the message is signed by private key that was
generated by the sender.
- Only a specific private key could have produced the digital signature.
Digital signatures are much more scalable than pre-shared keys. Without
digital signatures, keys must be manually shared between each pair of devices.
Without certificates, every new device added to the network requires a
configuration change on every other device it securely communicates with.
However, by using digital certificates, each device is enrolled with a CA. When
two devices wish to communicate, they exchange certificates and digitally sign
data to authenticate each other. When a new device is added to the network, one
simply enrolls that device with a CA, and none of the other devices need
modification. When the new device attempts a connection, certificates are
automatically exchanged and the device can be authenticated.
The two
common digital signature algorithms are RSA and Directory System Agent (DSA).
RSA is used commercially and is the most common. DSA is used mostly by U.S.
Government agencies.