Overview of Digital Signatures, Certificates, and Hashing
While encryption protects the contents of your message, it does nothing to prove or verify that you’re the person who actually sent it. This process of proving the source of a message or website is called authentication. When you’re shopping online, authentication is a pretty important concept. In that case, while you still want and need to have those credit card numbers encrypted, you also want and need to authenticate the recipient.
Information
Authentication Verifying the identity of a message sender or website.
Legitimate retailers know you’re concerned about potential fraud. So, they provide things like digital signatures and certificates to prove to you that they’re who they say they are. You just make note of what the vendor is doing to protect your data. You don’t actually have to DO anything.
Three common methods are used for authentication: hashing, digital signatures, and digital certificates.
Hashing
Hashing, most commonly a one-way hash, is a method used to verify data rather than encrypt it. Hashing is generating a value or values from a string of text using a mathematical function. With this method, a one-way hash algorithm is applied to the plaintext. The result is a “message digest” attached to the original plaintext message.
You’ve probably seen a hash string on the downloads page of some of your favorite tools, packages, or libraries. For example, Kali Linux has one for each of its releases. But why is that?
This is to ensure that the original file on their server is the same as the one that you’ve downloaded. For example, the SHA-256 hash of the Kali ISO is below.
If the resulting hash is equivalent to the one found on their website, you can rest assured that the file has not been tampered with during the download and that you have the same, correct file.
Hashes play a role in security systems where they're used to ensure that transmitted messages have not been tampered with.
Digital Signatures
A digital signature is another method used to verify the sender of a message. Unlike hashing, digital signatures do use encryption—specifically, a type of public key encryption which uses two algorithms, one for encrypting and the other for decrypting the digital signature.
In simple terms, a digital signature is attached to encrypted data to ensure two things: (1) that the message is authentic and intact and (2) to authenticate the message sender. Using a digital signature has the same effect as using hashing along with encryption. It simply does so using a slightly different methodology.
Digital signatures are like electronic “fingerprints.” In the form of a coded message, the digital signature securely associates a signer with a document in a recorded transaction. Digital signatures use a standard, accepted format, called Public Key Infrastructure (PKI), to provide the highest levels of security and universal acceptance.
PKI requires the provider to use a mathematical algorithm to generate two long numbers, called keys. One key is public, and one key is private.
When a signer electronically signs a document, the signature is created using the signer’s private key, which is always securely kept by the signer. The mathematical algorithm acts like a cipher, creating data matching the signed document, called a hash, and encrypting that data. The resulting encrypted data is the digital signature. The signature is also marked with the time that the document was signed. If the document changes after signing, the digital signature is invalidated.
To protect the integrity of the signature, PKI requires that the keys be created, conducted, and saved in a secure manner, and often requires the services of a reliable Certificate Authority (CA). Digital signature providers, like DocuSign, meet PKI requirements for safe digital signing.
Digital Certificates
A Digital Certificate is an electronic "password" that allows a person, organization to exchange data securely over the Internet using the public key infrastructure (PKI). Digital Certificate is also known as a public key certificate or identity certificate.
Digital Certificates are a means by which consumers and businesses can utilise the security applications of Public Key Infrastructure (PKI). PKI comprises of the technology to enables secure e-commerce and Internet based communication.
In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key.
Digital certificates function similarly to identification cards such as passports and drivers’ licenses. Digital certificates are issued by recognized (government) authorities. When someone requests a certificate, the authority verifies the identity of the requester, certifies that the requester meets all requirements to receive the certificate, and then issues it. When a digital certificate is presented to others, they can verify the identity of its owner because the certificate provides the following security benefits:
- It contains personal information to help identify and trace the owner.
- It contains the information that is required to identify and contact the issuing authority.
- It is designed to be tamper-resistant and difficult to counterfeit.
- It is issued by an authority that can revoke the identification card at any time (for example, if the card is misused or stolen).
- It can be checked for revocation by contacting the issuing authority.
To avoid the problem of forged digital signatures, eCommerce retailers instead make use of a digital certificate. A digital certificate contains a person’s or corporation’s public key. This is exactly like a digital signature. The difference is that a digital certificate is issued by a trusted third party who verifies independently that the certificate belongs to the person claiming ownership.
Did you find this tutorial helpful? Don’t forget to share your views with us.