Lec 7

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 26

• A digital signature is a mathematical technique used to validate the authenticity

and integrity of a message, software or digital document.


• It's the digital equivalent of a handwritten signature or stamped seal, but it offers
far more inherent security.
• A digital signature is intended to solve the problem of tampering and
impersonation in digital communications.
• Digital signatures can provide evidence of origin, identity and status of electronic
documents, transactions or digital messages.
• Signers can also use them to acknowledge informed consent.
• In many countries, including the United States, digital signatures are considered
legally binding in the same way as traditional handwritten document signatures.
How do digital signatures work?
• Digital signatures are based on public key cryptography, also known
as asymmetric cryptography.
• Using a public key algorithm, such as RSA (Rivest-Shamir-Adleman),
two keys are generated, creating a mathematically linked pair of
keys, one private and one public.
• Digital signatures work through public key cryptography's
two mutually authenticating cryptographic keys.
• The individual who creates the digital signature uses a private key to
encrypt signature-related data, while the only way to decrypt that
data is with the signer's public key.
• If the recipient can't open the document with the signer's
public key, that's a sign there's a problem with the document or
the signature. This is how digital signatures are authenticated.
• Digital signature technology requires all parties trust that the
individual creating the signature has kept the private key secret.
• If someone else has access to the private signing key, that party
could create fraudulent digital signatures in the name of the
private key holder.
What are the benefits of digital signatures?

• Security is the main benefit of digital signatures. Security capabilities embedded


in digital signatures ensure a document is not altered and signatures are
legitimate. Security features and methods used in digital signatures include the
following:
• Personal identification numbers (PINs), passwords and codes. Used to
authenticate and verify a signer's identity and approve their signature. Email,
username and password are the most common methods used.
• Asymmetric cryptography. Employs a public key algorithm that includes private
and public key encryption and authentication.
• Checksum. A long string of letters and numbers that represents the sum of the
correct digits in a piece of digital data, against which comparisons can be made
to detect errors or changes. A checksum acts as a data fingerprint.
• Cyclic redundancy check (CRC). An error-detecting code and
verification feature used in digital networks and storage devices to
detect changes to raw data.
• Certificate authority (CA) validation. CAs issue digital signatures and
act as trusted third parties by accepting, authenticating, issuing and
maintaining digital certificates. The use of CAs helps avoid the creation
of fake digital certificates.
• Trust service provider (TSP) validation. A TSP is a person or legal entity
that performs validation of a digital signature on a company's behalf
and offers signature validation reports.
Benefits to using digital signatures
• Timestamping. By providing the data and time of a digital signature,
timestamping is useful when timing is critical, such as for stock trades,
lottery ticket issuance and legal proceedings.
• Globally accepted and legally compliant. The public key infrastructure (
PKI) standard ensures vendor-generated keys are made and stored
securely. Because of the international standard, a growing number of
countries are accepting digital signatures as legally binding.
• Time savings. Digital signatures simplify the time-consuming processes
of physical document signing, storage and exchange, enabling businesses
to quickly access and sign documents.
• Cost savings. Organizations can go paperless and save money previously
spent on the physical resources and on the time, personnel and office
space used to manage and transport them.
• Positive environmental impact. Reducing paper use also cuts down on
the physical waste generated by paper and the negative environmental
impact of transporting paper documents.
• Traceability. Digital signatures create an audit trail that makes internal
record-keeping easier for business. With everything recorded and stored
digitally, there are fewer opportunities for a manual signee or record-
keeper to make a mistake or misplace something.
How do you create a digital signature?
• To create a digital signature, signing software, such as an email program, is
used to provide a one-way hash of the electronic data to be signed.
• A hash is a fixed-length string of letters and numbers generated by an
algorithm.
• The digital signature creator's private key is then used to encrypt the hash.
• The encrypted hash -- along with other information, such as
the hashing algorithm -- is the digital signature.
• The reason for encrypting the hash instead of the entire message or
document is a hash function can convert an arbitrary input into a fixed-
length value, which is usually much shorter.
• This saves time as hashing is much faster than signing.
• The value of a hash is unique to the hashed data.
• Any change in the data, even a change in a single character, will result in
a different value.
• This attribute enables others to use the signer's public key to decrypt the
hash to validate the integrity of the data.
• If the decrypted hash matches a second computed hash of the same
data, it proves that the data hasn't changed since it was signed.
• If the two hashes don't match, the data has either been tampered with
in some way and is compromised or the signature was created with a
private key that doesn't correspond to the public key presented by the
signer -- an issue with authentication.
• A digital signature can be used with any kind of message, whether it is
encrypted or not, simply so the receiver can be sure of the sender's
identity and the message arrived intact.
• The digital signature is unique to both the document and the signer and it
binds them together. This property is called nonrepudiation.
• Digital signatures are not to be confused with digital certificates.
• A digital certificate is an electronic document that contains the digital
signature of the issuing CA.
• It binds together a public key with an identity and can be used to verify
that a public key belongs to a particular person or entity.
• Most modern email programs support the use of digital signatures and
digital certificates, making it easy to sign any outgoing emails and validate
digitally signed incoming messages.
• Digital signatures are also used extensively to provide proof of
authenticity, data integrity and nonrepudiation of communications and
transactions conducted over the internet.
Uses of digital signatures
• Industries use digital signature technology to streamline processes and
improve document integrity. Industries that use digital signatures include
the following:
• Government. 
– The U.S. Government Publishing Office (GPO) publishes electronic versions of budgets,
public and private laws, and congressional bills with digital signatures.
– Digital signatures are used by governments worldwide for a variety of reasons, including
processing tax returns, verifying business-to-government (B2G) transactions, ratifying
laws and managing contracts.
– Most government entities must adhere to strict laws, regulations and standards when
using digital signatures.
– Many governments and corporations also use smart cards to ID their citizens and
employees. These are physical cards endowed with a digital signature that can be used
to give the cardholder access to an institution's systems or physical buildings.
• Healthcare. 
– Digital signatures are used in the healthcare industry to improve the efficiency of
treatment and administrative processes, to strengthen data security, for e-prescribing and
hospital admissions.
– The use of digital signatures in healthcare must comply with the Health Insurance
Portability and Accountability Act (HIPAA) of 1996.
• Manufacturing. 
– Manufacturing companies use digital signatures to speed up processes, including product
design, quality assurance (QA), manufacturing enhancements, marketing and sales.
– The use of digital signatures in manufacturing is governed by the International
Organization for Standardization (ISO) and the National Institute of Standards and
Technology (NIST) Digital Manufacturing Certificate (DMC).
• Financial services. 
– The U.S. financial sector uses digital signatures for contracts, paperless banking, loan
processing, insurance documentation, mortgages and more.
– This heavily regulated sector uses digital signatures with careful attention to the
regulations and guidance put forth by the Electronic Signatures in Global and National
Commerce Act (E-Sign Act), state Uniform Electronic Transactions Act (UETA)
regulations, the Consumer Financial Protection Bureau (CFPB) and the Federal
Financial Institutions Examination Council (FFIEC).
• Cryptocurrencies. 
– Digital signatures are also used in bitcoin and other cryptocurrencies to authenticate
the blockchain.
– They are also used to manage transaction data associated with cryptocurrency and as
a way for users to show ownership of currency or their participation in a transaction.
Cryptography
• Cryptography is the study of secure communications
techniques that allow only the sender and intended
recipient of a message to view its contents.
• The term is derived from the Greek
word kryptos, which means hidden.
• It is closely associated to encryption, which is the act
of scrambling ordinary text into what's known as
ciphertext and then back again upon arrival. 
• When transmitting electronic data, the most common use of cryptography is to encrypt
and decrypt email and other plain-text messages.
• The simplest method uses the symmetric or "secret key" system.
• Here, data is encrypted using a secret key, and then both the encoded message and secret
key are sent to the recipient for decryption.
• The problem? If the message is intercepted, a third party has everything they need to
decrypt and read the message.
• To address this issue, cryptologists devised the asymmetric or "public key" system.
• In this case, every user has two keys: one public and one private.
• Senders request the public key of their intended recipient, encrypt the message and send
it along.
• When the message arrives, only the recipient's private key will decode it — meaning theft
is of no use without the corresponding private key.
What is the difference between symmetric
(private cryptography) and asymmetric
cryptography(public cryptography)?
• With symmetric cryptography, the same key is used for both
encryption and decryption.
– A sender and a recipient must already have a shared key that is known to both.
– Key distribution is a tricky problem and was the impetus for developing
asymmetric cryptography.
• With asymmetric crypto, two different keys are used for encryption and
decryption.
– Every user in an asymmetric cryptosystem has both a public key and a private
key.
– The private key is kept secret at all times, but the public key may be freely
distributed.
PUBLIC KEY CRYPTOGRAPHY
SYMMETRIC KEY CRYTOGRAPHY
• Data encrypted with a public key may only be decrypted with
the corresponding private key.
• So, sending a message to John requires encrypting that message
with John’s public key.
• Only John can decrypt the message, as only John has his private
key.
• Any data encrypted with a private key can only be decrypted
with the corresponding public key.
• Similarly, Jane could digitally sign a message with her private
key, and anyone with Jane’s public key could decrypt the signed
message and verify that it was in fact Jane who sent it.
• Symmetric is generally very fast and ideal for encrypting large amounts of
data (e.g., an entire disk partition or database).
• Asymmetric is much slower and can only encrypt pieces of data that are
smaller than the key size (typically 2048 bits or smaller).
• Thus, asymmetric crypto is generally used to encrypt symmetric encryption
keys which are then used to encrypt much larger blocks of data.
• For digital signatures, asymmetric crypto is generally used to encrypt the
hashes of messages rather than entire messages.
• A cryptosystem provides for managing cryptographic keys including
generation, exchange, storage, use, revocation, and replacement of the keys.
Public and Private Key
• Bob wants to send Alice an encrypted email. To do this,
Bob takes Alice’s public key and encrypts his message to
her. Then, when Alice receives the message, she takes the
private key that is known only to her in order to decrypt
the message from Bob.
• Public keys have been described by some as being like a
business’ address on the web – it’s public and anyone can
look it up and share it widely. In asymmetric encryption,
public keys can be shared with everyone in the system.
Once the sender has the public key, he uses it to encrypt
his message.
• Each public key comes paired with a unique private key.
Think of a private key as akin to the key to the front door
of a business where only you have a copy. This defines one
of the main differences between the two types of keys.
The private key ensures only you can get through the front
door. In the case of encrypted messages, you use this
private key to decrypt messages.
• Together, these keys help to ensure the security of the
exchanged data. A message encrypted with the public key
cannot be decrypted without using the corresponding
private key.

You might also like