Digital Signatures & Certificates

Introduction

Encryption is the process of converting electronic data into another form, called cipher text, which cannot be easily understood by anyone except authorised parties. Encryption helps to ensure confidentiality of data in transit and at rest.

Decryption is the process of converting cipher text back into the original readable form (plaintext).

• At the sender's end a message is encrypted using an encryption algorithm and a key; at the receiver's end it is decrypted using the corresponding decryption algorithm and key.
• Encryption and decryption techniques are used to keep sensitive information-such as passwords, personal data, financial transactions-secure from eavesdroppers and attackers.

Types of Encryption

1. Symmetric encryption - The same secret key is used for both encryption and decryption. Symmetric algorithms are generally faster and suitable for bulk data encryption. Examples include AES and DES (AES is the modern standard; DES is now considered insecure).
2. Asymmetric encryption - Also called public-key cryptography. Each user has a public key and a private key. The public key may be shared with everyone; the private key is kept secret by the owner. Either key can be used to encrypt, and the opposite key is used to decrypt. Asymmetric algorithms are widely used for secure key exchange, digital signatures and authentication. Examples include RSA and ECC.

Public key - a key that is distributed to others. Example: if the public key of user A is 7, that information is known to everyone.

Private key - the secret key known only to its owner. The private key must be kept confidential.

Security Properties

Authentication is the process by which a system verifies the identity of a user, device or process that wishes to access it.

Non-repudiation ensures that a party to a communication cannot later deny the authorship of a message they sent, and the recipient cannot deny receiving it. Digital signatures provide non-repudiation when private keys are protected.

Integrity guarantees that the message was not altered during transmission. Integrity is typically provided by hash functions and signatures.

Message Digest and Hash Functions

A message digest is a fixed-length numeric representation of a message produced by a one-way hash function. A one-way hash function is easy to compute in the forward direction (message → hash) but computationally infeasible to invert (hash → original message) or to find collisions (two different messages with the same hash).

Common hash algorithms include SHA-256 and (historically) MD5; MD5 and some older hashes are now considered weak because of collision attacks. Hash functions are used to produce a compact summary of a message which can then be signed efficiently.

Digital Signature

A digital signature is a mathematical construct used to validate the authenticity and integrity of a message, software or digital document. A valid digital signature gives the recipient confidence that the message was created by a known sender (authentication), was not altered (integrity) and - if the sender cannot deny having signed - provides non-repudiation.

1. Key generation algorithms: A pair of keys (public key, private key) is generated according to the rules of an asymmetric algorithm. The private key is used for signing; the public key is used by verifiers to check signatures. Proper key generation and secure storage of the private key are essential.
2. Signing algorithms: To create a signature, the signing algorithm first computes a one-way hash (message digest) of the data to be signed. The signing algorithm then encrypts the message digest with the signer's private key; the resulting encrypted digest, together with information about the hash algorithm, is the digital signature. Hashing before signing improves performance and ensures a fixed input size to the signing operation.
3. Signature verification algorithms: The verifier receives the message and the digital signature. The verifier uses the signer's public key and the verification algorithm to recover the digest from the signature. The verifier also computes the hash of the received message locally. If the recovered digest and the locally computed digest are identical, the signature is valid; otherwise it is invalid.

Procedure for Creating and Verifying a Digital Signature

1. The sender computes the message digest by applying a hash function to the message.
2. The sender encrypts the message digest using the sender's private key to form the digital signature. In symbolic form: digital signature = encryption(private key of sender, message digest) and message digest = hash(message).
3. The sender transmits the message together with the digital signature.
4. The receiver decrypts the digital signature using the sender's public key; this yields the message digest that the signer produced.
5. The receiver computes the message digest of the received message using the same hash function.
6. If the decrypted digest and the locally computed digest match, the receiver accepts the signature as valid, which confirms both integrity and authenticity of the message.

The use of a hash function before signing is critical because it makes signing computationally efficient (the signer signs a short, fixed-length digest rather than a large document) and it ensures that small changes in the message produce a different digest.

Digital Certificates

A digital certificate is an electronic document issued by a trusted third party, called a Certificate Authority (CA), that binds a public key to the identity of its holder. Certificates enable others to verify that a given public key belongs to a specific person, device or service.

Most widely used certificate format is the X.509 standard; certificates issued under this standard contain structured fields with identifying and cryptographic information.

Typical contents of a digital certificate include:

1. Name of the certificate holder (subject).
2. Serial number, used to uniquely identify the certificate.
3. Validity period (start and expiration dates).
4. A copy of the certificate holder's public key.
5. Digital signature of the issuing Certificate Authority (CA).

Certificates are used to establish a chain of trust. A verifier checks the CA's signature on the certificate and, if necessary, that CA's certificate up to a trusted root CA. Certificate revocation mechanisms such as Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OCSP) allow certificates to be marked invalid before their expiry date.

Digital certificates are commonly used in:

• HTTPS/TLS for secure web browsing (server certificates and client certificates).
• Email signing and encryption (S/MIME).
• Code signing to verify the publisher of software.
• VPNs, secure device authentication and many other secure communications.

Difference between Digital Signature and Digital Certificate

• A digital signature is a cryptographic construct attached to data to prove authenticity, integrity and non-repudiation of that specific data.
• A digital certificate is an identity document issued by a CA that binds a public key to an individual, device or organisation; it helps others trust that a public key belongs to the stated subject.
• Both are complementary: signatures use private keys and the corresponding public keys; certificates allow verifiers to obtain and trust the correct public key for verification.

Understanding how digital signatures and certificates work together is essential for designing and evaluating secure communication systems. Digital signatures provide the mechanism to sign data; certificates provide a trusted way to associate public keys with identities so signatures can be verified reliably.