Digital Signatures and Digital Certificates (Copy)

17.4 Digital Signatures and Digital Certificates

Key Concepts and Definitions

• Digital Signature
  • An electronic method of validating the authenticity and integrity of a digital document.
  • Ensures that the document is from a known sender and has not been altered during transmission.
• Digest
  • A fixed-size numeric value representing a message’s content, generated using a hashing algorithm.
  • Can be encrypted to form a digital signature.
• Hashing Algorithm
  • A cryptographic function that converts data into a unique numeric string.
  • Used in digital signatures to ensure message integrity.
• Digital Certificate
  • An electronic document used to verify the identity of an individual or a website.
  • Contains the public key and information about the owner.
  • Issued by a trusted Certificate Authority (CA).

17.4.1 Digital Signatures

Purpose of Digital Signatures

1. Authentication
   • Ensures the sender is genuine.
   • Verifies the identity of the person or organization signing the document.
2. Non-Repudiation
   • Prevents the sender from denying they signed the document.
   • A legally binding form of electronic verification.
3. Data Integrity
   • Guarantees that the content has not been tampered with after signing.
   • Any change to the original data will alter the digital signature.
4. Confidentiality
   • Ensures that sensitive data is not accessible to unauthorized users.
   • Often used in combination with encryption for secure communications.

How Digital Signatures Work

1. Generating a Digital Signature

• The sender applies a hashing algorithm to the original message, producing a digest.
• The digest is then encrypted using the sender’s private key, creating the digital signature.
• The original document and the digital signature are sent to the recipient.

2. Verifying a Digital Signature

• The recipient:
  1. Extracts the digital signature and decrypts it using the sender’s public key, obtaining the digest.
  2. Hashes the received document using the same hashing algorithm.
  3. Compares the two digests. If they match, the document is authentic and untampered.

Example: Use of Digital Signatures

• Suppose Alice sends a contract to Bob via email.
• Alice generates a digest from the contract and encrypts it using her private key.
• Bob receives both the contract and the digital signature.
• Bob decrypts the digital signature with Alice’s public key and verifies the digest.
• If the computed digest matches the decrypted one, Bob confirms that:
  • The contract was indeed signed by Alice.
  • The contract has not been modified after signing.

Hashing and its Role in Digital Signatures

• A hashing algorithm (e.g., SHA-256, MD5) is used to generate a fixed-length digest.
• Even a minor change in the input data results in a completely different digest (known as the avalanche effect).
• The hash is one-way, meaning it cannot be reversed to obtain the original message.

Limitations of Digital Signatures

• If an attacker intercepts the communication and replaces the sender’s public key with their own, they can send fraudulent messages.
• This leads to the need for Digital Certificates, issued by a Certificate Authority (CA) to ensure trust.

17.4.2 Digital Certificates

What is a Digital Certificate?

• A digital certificate is an electronic file that proves the legitimacy of an entity (e.g., a website, business, or person).
• It is issued and verified by a Certificate Authority (CA).
• The certificate contains a public key, allowing encrypted communication.

Components of a Digital Certificate

A digital certificate typically contains:

1. Version number – Identifies the format of the certificate.
2. Serial number – Unique identifier assigned by the CA.
3. Algorithm identification – Specifies the cryptographic algorithm used.
4. Certificate issuer – Name of the CA that issued the certificate.
5. Validity period – Start and expiration dates of the certificate.
6. Owner information – Name and details of the entity to whom the certificate is issued.
7. Public key – Used for encrypting and verifying digital signatures.
8. Issuer’s identifier – Helps verify the legitimacy of the certificate.
9. Signature algorithm – Specifies how the certificate is signed.
10. Digital signature – The certificate itself is signed by the CA using their private key.

Process of Obtaining a Digital Certificate

1. The applicant (individual or organization) submits a request to a Certificate Authority (CA).
2. The CA verifies the applicant’s identity.
3. Once verified, the CA generates a digital certificate and signs it using their private key.
4. The certificate is sent to the applicant, who can use it to establish trust in online transactions.

Example: Secure Website Authentication

• When a user visits a secure website (HTTPS), the browser requests the website’s digital certificate.
• The browser checks:
  • The certificate’s validity and expiration date.
  • Whether the certificate is issued by a trusted CA.
  • Whether the domain name on the certificate matches the website’s URL.
• If valid, the browser encrypts data using the website’s public key, ensuring secure communication.

Self-Signed Certificates vs CA-Issued Certificates

Self-Signed Certificates

• Generated by individuals or businesses without a CA.
• Can be used for internal applications but not trusted on public networks.
• Often causes security warnings in browsers.

CA-Issued Certificates

• Trusted by browsers and operating systems.
• Used for securing websites, email communications, and software distribution.
• Examples of well-known CAs:
  • Symantec
  • Entrust
  • DigiCert

17.4.3 The Role of Public Key Infrastructure (PKI)

• PKI (Public Key Infrastructure) is a framework of policies and technologies to manage digital certificates and encryption keys.
• Components of PKI:
  • Certificate Authority (CA) – Issues and verifies digital certificates.
  • Registration Authority (RA) – Verifies user identity before certificate issuance.
  • Certificate Revocation List (CRL) – A list of revoked certificates.
  • Key Management System – Handles public-private key generation and storage.

Importance of Digital Signatures and Certificates

1. Securing Online Transactions
   • Digital certificates ensure trust in e-commerce, banking, and cloud services.
2. Email Security
   • Email signing prevents phishing and email spoofing.
3. Software Integrity
   • Developers sign software to prove authenticity and prevent malware distribution.
4. Legal Compliance
   • Many countries recognize digital signatures as legally binding for contracts.

Conclusion

• Digital signatures ensure authentication, integrity, and non-repudiation.
• Digital certificates verify the identity of websites and individuals, preventing fraud.
• PKI provides a secure framework for managing encryption keys and certificates.
• The combination of digital signatures and certificates is essential for secure communications and online trust.