What are digital signatures and digital certificates? Digital signatures rely on asymmetric key cryptography. Before we go into digital signatures, let’s briefly go into how asymmetric key cryptography works.
With asymmetric key cryptography, there is a pair of mathematically related keys. If you encrypt a message with one of the keys, then the other key and only the other key can be used to decrypt it.
Take for example Jason and Amy. If Amy want Jason to send her a secret message, she needs an asymmetric pair of keys. A computer program can generate these for her. She sends Jason a copy of one of the keys and she keeps the other key to herself.
However, instead of sending Jason a key, she could put a key in a public place (such as on her website or social media profile) for him to go and fetch himself. It does not matter if someone else gets a copy of the public key.
Jason uses that public key to encrypt his message. When Jason has encrypted the message, he sends Amy the ciphertext (the encrypted text). Only Amy can decrypt the ciphertext because only Amy has the matching private key.
(Read about what PGP keys are)
Well, it so happens that it doesn’t matter which one of the keys is made public and which one is kept private. If you encrypt a message with either one, then the other and only the other can be used to decrypt it.
As long as Amy does not change her mind later, Amy can decide which one of the keys will be private, and which one will be public. This is the crucial feature of asymmetric key cryptography that makes digital signatures possible.
Now let’s think about why we even need digital signatures.
Once upon a time not so long ago, if you wanted proof that a document was sent to you by a particular person, it needed a handwritten signature on it. Only written signatures were legally binding. But these days, it is possible to put a digital signature on a document.
Take for example Adam and Jane. Adam wants to send a document to Jane by email. In this instance, there is nothing secret about the document. Neither of them care if someone else reads it. Jane just wants to be sure that the message definitely came from Adam, and that nobody else has tampered it along the way.
Before his document is sent, some software on Adam’s computer prepares the digital signature. The purpose of this software is to create something called a ‘hash’ of the document. These days, most computers do this using an algorithm called SHA-256, which was invented by the USA’s National Security Agency (NSA).
SHA-256 takes a copy of the document text, and subjects it to a sequence of complex mathematical calculations and other transformations. The result is called a ‘hash value’, which is sometimes referred to as a digest of the document.
The hashing process has been designed so that even the tiniest difference in the original document would result in a completely different hash value. This part of the hashing process is not encryption, because the transformations done by SHA-256 are practically impossible to reverse. You cannot take a hash value to work out what was in the original document. Similarly to baking a cake, hashing is a one-way process.
But, if you were to apply the same process to the same document, you would get exactly the same hash.
Some software on Adam’s computer now encrypts the hash using Adam’s private key, and the encrypted hash is embedded in the original document. The document now has a digital signature.
Adam sends Jane a copy of the signed document. He also sends her a copy of the public key. Alternatively, he can put the public key on a public domain for Jane to go and fetch. Jane’s computer decrypts the signature using Adam’s public key. If she successfully decrypts it, she can confirm that it came from Adam.
Jane’s computer then uses SHA-256 to calculate the hash value again using the text of the document. If the hash value that Jane’s computer calculates is the same as the hash value that was sent by Adam, she can be pretty sure that it has not been interfered with since it was created.
In this case, Adam and Jane do not mind if anyone else has seen the document or gets a hold of Adam’s private key. Their only concern is that they want to be sure that the document was sent by Adam.
Of course, anyone else could have been pretending to be Adam from the start. A cybercriminal could create a fake document, hash it with SHA-256 and generate an asymmetric pair of keys using their computer.
So how can Jane be really sure that she is communicating with Adam? That is where digital certificates come in.
For a fee, Adam could apply for a digital certificate to a well-known and well-trusted organisation called a Certification Authority. Certification Authorities include companies like Symantec, Verisign and GlobalSign.
As part of the application process, Adam’s computer generates an asymmetric pair of keys, and he sends the public key to the Certification Authority along with various details about himself.
The Certification Authority carefully checks that Adam is who he says he is. Then they will send him a special type of file called a digital certificate. This contains details about Adam along with information about the Certification Authority and an expiry date.
Bound to this digital certificate is Adam’s public key. Adam still has the corresponding private key which never left his computer. Adam must of course keep his private key safe.
Now when Adam sends a signed document to Jane, he can also send her a copy of the whole certificate, or put it in a public place for her to retrieve. This means that when Jane wants to decrypt something that Adam has encrypted, she can inspect this certificate first and if she is happy to trust it, she can use the public key within (the public key that has been guaranteed by the Certification Authority to belong to Adam). Essentially, the Certification Authority is vouching for Adam.
Needless to say, applying to a Certification Authority for a digital certificate is in itself a very secure process. Anything the Certification Authority sent to Adam was digitally signed by them using their own digital certificate. And this is typically provided by an even higher Certification Authority.
In the year 2000, a law was passed in the UK called the Electronic Communications Act. This law made digital signatures legally binding, and this has allowed businesses to thrive on the web.
Since then, we have seen the rise of cryptocurrencies like Bitcoin. A cryptocurrency is fundamentally a secure list of who paid who how much. Updating this list depends largely on digital signatures.
More like this