Digital Signature & Certificates Explained
A manual or pen-on-paper signature has significance only when it binds itself to a document. This binding is evidenced by the physical paper which is shared by the document and the signature, as it won’t do to put the signature on a separate piece of paper and attach it to a document. Further any alterations made on the original text of the document are also suspect unless additionally authorized by signature. To recap, what is important is not the signature per se but its binding to the text authorized by it.
As there is no equivalent of a paper in the electronic environment which can physically evidence the binding of a signature to a text, a different mechanism has to be found to achieve this very result. Another difference between the electronic and paper environment is LOVE (Loss Of Visual Evidence) of any alterations to the original text of a document. As we will shortly see, in the electronic mechanism the binding itself takes care of detection of any alteration.
Digital signature is implemented using a pair of asymmetric keys. asymmetric key means that there is a pair of keys: while encryption is done using one key the decryption is possible only using the corresponding key from the same pair. One of the keys is Private and is known to and in exclusive possession of the signatory, while the other is published and is known as Public key of the signatory. The electronic document to be signed is encrypted by the signatory using his Private key and the encrypted text is sent along with the plain text. The recipient decrypts the encrypted text using the published Public key of the signatory and then compares the decrypted text with the plain text. If the two tally the signature is taken as genuine. It is not difficult to see that both the end-results as stated above in the case of pen-on-paper, stand achieved.
In actual practice one more step is added in Digital Signature with a view to keep the encrypted text brief even if the plain text to be signed is huge. This is done by first creating a fixed-length hash (digest) of the plain text using an approved algorithm. The algorithm ensure that the same hash cannot result from a different plain text and also that the plain text can not be derived from the hash. Now this fixed length hash is encrypted using the Private key and sent along with the plain text. Signature verification at the recipient end takes place by a) creating a hash from the plain text using the same algorithm as used by the sender, b) decrypting the encrypted hash using signatory’s Public key, and c) comparing the decrypted hash with the computed hash.
It is not difficult to see that the digital signature method described above establishes the genuineness of the signature (non-repudiation) but does not enforce confidentiality as the plain text is also sent as part of the signed message. Confidentiality can be ensured by encrypting the complete signed message with the recipient’s Public key. Now this signed message (including the plain text) stands encrypted and can be decrypted only by the recipient using his Private key. Signature verification can be done after decryption.
Finally, how does one establish the genuineness of the Public key of the signatory, especially an unfamiliar one? This is done by each signatory getting his Public key certified by a trusted third party called a Certificate Authority (CA). The CA satisfies itself about the identity of the signatory and the possession by him of the Private key that corresponds to the Public key that is to be c