Digital Signature

Sometime back, I used to think that digital signature was a scanned copy or an image (JPG) of my physical signature and embedding this image in a document would make the document digitally signed. Many of us may still do not understand Digital signature and this small write-up is intended to provide an introduction.

We are familiar with a contract on paper, signing which implies that both parties have read the contract and accepted the terms of the contract. Changes to the contract are not allowed unless they are countersigned. Is this possible on a soft copy? How do we ensure that the document is signed by the person who he / she claims to be and the document has not changed after it has been signed. This is made possible using Digital Signature.

Digital Signature employs asymmetric cryptography. Symmetric cryptography (encryption) is one where the encryption and decryption happens using the same key, where as in asymmetric cryptography a pair of keys are used. Data encrypted using any one key can only be decrypted using the other key in the pair.

Certifying Authority (CA) issues a Digital Certificate (a Public Key and Private key) to an applicant after his / her credentials are verified. The private key is known only to the individual who owns the certificate, while the public key is for public consumption. The certificate carries details such as the Name of the person, organization details, e-mail address and many other details. The certificate is also protected by a PIN for usage.

Asymmetric encryption is extremely complex and requires a huge computation power, hence this not suited for encrypting large documents. So instead, the document is hashed using a standard hashing algorithm such as SHA1. The hash changes for the smallest of change to the document. To sign a document, the Private Key encrypts this hash and adds this to the document, along with other details of the certificate, which forms the Digital Signature. The document is still in clear text, but a Digital Signature is embedded into it.

A receiver can verify the details of the person signing it, as the certificate details can be verified against the details stored in the CA. The verification process decrypts the encrypted hash (Digital Signature) stored within the document using the public key and next, it generates the hash of the document and compares the two. If hashes are identical, it can be concluded that the document has not changed after it was signed.

The diagram below provides a pictorial representation of the Digital Signature and verification process

A valid Digital Signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit. Digital Signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery and tampering.