Digital signature is a way to ensure that an electronic document like e-mail, spreadsheet, and text file is authentic. Digital signatures rely on certain types of encryption to ensure authentication. Encryption is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. Authentication is the process of verifying that information is coming from a trusted source .These two processes work hand in hand for digital signatures.
A digital signature functions for electronic documents like a handwritten signature does for printed documents. The signature is an unforgivable piece of data that asserts that a named person wrote pr otherwise agreed to the document to which the signature is attached. It actually provides a greater degree of security than a handwritten signature. The recipient of s digitally signed message can verify both that a message originated from the person whose signature is attached and the message has been altered intentionally or accidentally since it was signed. Furthermore, secure digital signature cannot be repudiated; the signer of a document cannot later disown it by claiming the signature was forged.
In other words, digital signatures enable “authentication” of digital messages, assuring the recipient of a digital message of both the identity of the sender and the integrity of the message.
Digital signature relies on asymmetric or public key cryptography. To create a digital signature we sign the message with our private key. The digital signature then becomes a part of our message.
This has two effects:
- Any changes to the message can be detected, due to the message digest algorithm
- We cannot deny signing the message because it was signed with our private key.
These twp features, message integrity and non-repudiation make digital signatures a very useful component for e-commerce applications.
Digital Signature and Authentication:
Suppose Amit wants to send a signed message to Anil. He creates a message digest by using a hash function on the message. The message digest serves as a digital fingerprint of the message; if any part of the message is modified, the hash function returns different result. Amit then encrypts the message digest with his private key. This encrypted message digest is the digital signature for the message.
Amit sends both the message and the digital signature to Anil.When Anil receives them, he decrypts the signature using Amit’s message, he then hashes the message with the same hash function Amit used and compares the result to the message digest he received from Amit.If they are exactly equal, Anil can be confident that the message he received indeed came from Amit and has not changed since he signed it. If the message digests are not equal, the message either originated elsewhere or was altered after it was signed.
Using digital signature does not encrypt the message itself. If Amit wants to ensure privacy of the message, he should also encrypt it using Anils public key. Then only Anil can read the message by decrypting it with his private key. It is not feasible for anyone to either fine a message that hashes to given value or to find the messages that hash to the same value. If either was feasible, an intruder could attach a false message onto Amits signature. Specific hash functions have been designed to have the property that finding a match is not feasible, and are therefore considered suitable for using cryptography. One or more Digital ID’s can accompany a digital signature.
Digital signatures and validity:
Normally a key expires after some period of time, such as one year, and a document signed with an expired key should not be accepted. However, there are many cases where it is necessary for signed documents to be regarded as legally valid for much longer than two years; long-term leases and contracts are example. By registering the contract with a digital time stamping service at the time it s signed, the signature can be validated even after the key expires. If all parties keep a copy of the time-stamp, each can prove that the contract was signed with valid keys. In fact, the time-stamp can prove the validity of a contract even if one signer’s key gets compromised at some point after the contract was signed. Any digitally signed document can be time-stamped; assuring that the validity of the signature can be verified after the key expires.
Written by Kamana Dubey