Lucky You, Microsoft has Sent You an Email! (Think Again). - Digital signatures

(Page 2 of 6 )

What is a digital signature?

A digital signature has the same purpose as a handwritten signature. When you digitally sign an electronic document (email, spreadsheet, text file, and so on), you provide a means for the recipient to authenticate you as the writer of the document. In addition, by receiving a digitally signed document, you can verify that it has not been altered in any way since the writer created it.

The importance of using digital signatures is crucial to all B2B, B2C or C2C transactions because it guarantees non-repudiatable communication; this means that the transacting parties cannot deny later on that they performed a specific action, for example a customer sending an order to a company.  

How does digital signature technology work?

Digital signatures are created and verified by public key cryptography. Public key cryptography uses a pair of keys, the private and the public key. The first one, as its name indicates, is kept private by its owner, whereas the second one is available to anyone who needs it and is associated with a digital certificate. When you want to send encrypted data to our well-known person Bob, you use his public key to encrypt the message. Bob will then use his private key to decrypt the message.

However, digitally signing a document does not mean that you encrypt it. In order to send a digitally signed message to Bob:

1. First you use your signing software on the message to compute a message digest. This process is called hashing. Keep in mind that the process is irreversible, meaning that it is impossible to change the message digest back into the original data from which it was created.
   
   
2. Then you use the signing software to encrypt the message digest with your private key. Doing so, you create your digital signature.
   
   
3. The signing software appends the digital signature to the document. You send the message to your dear friend Bob, who can’t wait to get it.
   
   
4. Now that Bob has received your message, he will try to verify that it is sent by you and that the message has not been altered by Trudy the intruder who pokes her nose into everything. So, Bob uses his software to decrypt the digital signature by using your public key, and gets the message digest.
   
   
   • If the decryption is successful, Bob knows that you signed the document. After all, you are the only one who has the corresponding private key to the public key he used (or not?).
     
     
5. Then, Bob uses his software to compute the message digest (also known as hash value) of the received message.
   
   
6. The software checks that the computed message digest is the same as the message digest created when the digital signature was decrypted.
   
   
   • If the verification is successful, Bob knows that Trudy the intruder has not altered the signed message.
     

Figure: Process of applying and verifying a digital signature

Next: Fake Microsoft security notification emails >>
 

More Windows Security Articles
More By Eliana Stavrou

Comments On: Lucky You, Microsoft has Sent You an Email! (Think Again).

>>> Be the FIRST to comment on this article!