signature on paper
Tue Nov 29

Digital Signature Explained

Peer to peer communications are common with the use of the internet. Contacting your business partner and work colleagues or simply sending a message to your friends and family. In real life, it is easy to meet and talk to someone face to face. You are sure and know the one who you are talking to. But, how about doing it via the internet.

How do you know if you are talking to the “real” one instead of talking to the fake one. When surfing through the internet, how do you know that you are really communicating to youtube.com for example and not the fake one?

The internet is a public network and of course, it is not really a safe place. Once the data goes out there, it is hard to really know what really happened. In most cases, you need to communicate with someone without any disruption from the third party. As the information you want to send to another party might be confidential, the data integrity and authenticity is therefore critical.This is where the digital signature comes in.

What is digital signature?

Digital signature is an encrypted signature generated using mathematical algorithm that is embedded to the actual message and works as a form of authentication. Think of it like a handwritten signature to prove the authenticity of the message.

When doing a contract with someone, it may use handwritten signatures to bind both parties to comply with the contract. In terms of contract breach, surely it wouldn’t make sense to send a lawsuit if the violator doesn’t sign the contract. As this handwritten signature works as an authentication to verify the identity of promisee and promisor, digital signature works the same way.

Why use digital signatures?

There are several reasons for using digital signatures. First, the authenticity. As stated above, digital signature works to authenticate the sender of the document or message.

The second one is integrity. It is possible for anyone out there to intercept and manipulate your message or document and forward it to the intended recipient. Because it could be extremely detrimental for both parties, digital signature helps you ensure the data sent is not altered while on its way.

The third one is non-repudiation. Working like a digital fingerprint, the sender can’t deny any previously sent message with a digital signature. Because of these reasons, digital signatures are commonly used in financial transactions.

How does digital signature work?

The digital signature relies on asymmetric key cryptography. The asymmetric cryptographic uses one pair of keys which is mathematically related, the public and private key.

Take a look at this example.
Bob and Carl want to send a message to each other. If you already know how the asymmetric key cryptography works, the public key is accessible by the public. When Bob sends a message to Carl, Carl will have Bob’s public key.

From Bob’s side, the plain text message written by him will be converted into a digest using a hash algorithm. The hash algorithm itself is not meant to encrypt the message, but it will be used as an identifier or digital fingerprint of the sender. The hash algorithm works as a one way function meaning that it is irreversible. Due to this, even a slight alteration of the original message will change the whole digest or hash.The digest is then encrypted using Bob’s private key.

The digital signature is the encrypted digest. It is important to note that the original message itself is not encrypted. In order to encrypt the plain text message, Bob needs Carl’s public key as well which has been explained on asymmetric key cryptography section [here](https://www.binaryte.com/blog/the- basics-of-cryptography).

From Carl’s side, the encrypted digest needs to be decrypted first using Bob’s public key. The successful decryption will reveal the original value of the digest. Let’s call it an A digest. Using the same hash algorithm on the plain text, Carl should now have the same digest as Bob does (B digest). Later on, both A and B digest are compared and both values have to be the same. In case of difference, it means that the message has been altered, because we know that the slight change on the message results in a different hash or digest.

The caveats

In fact, the hash itself can still be cracked using some software programs. Hash functions are frequently used to store passwords into the database. As for example, md5 is no longer safe to use. Why is that? There are several methods used by an attacker to crack a hash or digest.

Brute force

With the help of a computer, the attacker guesses every possible combination. For example, to crack a password “123456”, the machine will try any combination like “000001” , then “000002”, and then “000003” and so on until it gets the actual password. In cracking the digest, it works the same way.

This method requires tons of PC computing power, especially CPU and GPU. Back then, it required one of the most powerful PCs to do the job. However today, as anybody could have one in their home,so it can be done by anyone. Along with technology progression, the old hashing algorithm became obsolete as it only requires less and less time to crack.

Dictionary

The data leaks are a treasure trove for the attacker. With the huge database of personal information, the cracking process can be done in no time. Using some predefined word lists, the attacker simplifies the process further, by telling the machine to search the word from the dictionary. Because of this, the process can be done almost immediately.

Collision

The collision means that the MD5 of two different data or words is identical. While it is less likely, it is still possible. If an attacker can make a file with the same hash, the attacker can exploit this vulnerability and still change the actual message.Unfortunately, you wouldn’t know what happened as the hash remains the same.

Conclusion

The digital signature is very useful to ensure the data integrity as well as authenticity with the help of a hash function algorithm. Due to its complexity, many hash algorithms are no longer considered secure. However, there are still many choices to use that provide you with better security at the cost of performance like SHA-256 and whirlpool.

You might like

Best Practices to Secure SSH

Learn how to secure your VPS and protect it from attackers with these essential SSH server hardening techniques. Change the default port, disable root login, create public-private keys, and more. Protect your VPS and read our guide now!
Understanding Apache Log4j Vulnerability

Learn what Apache Log4j vulnerability is, how it affects your systems, and how to detect and mitigate it. Secure your applications with these best practices.