Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Digital Singatures question
September 14, 2005, 10:55 pm
rate this thread
reading really does't fill in the gaps with cryptography. I have read
articles on the web and other chapters from different books.
Can someone please explain Digital signatures to me? I understand that
they are used to validate who a person is. I don't understand how they
are created and what key is used to encrpyt them, etc.. Really couldn't
find to much more info on them.
Also is there a difference between a cipher and a hash? Is ciphertext
the same thing as a message digest? When you do use a cipher or hash
does the other side needs to know what algorithm you used? Is this sent
with the message??
Can someone please help clear up these topics or quide me towards some
reading material that will.
- Anne & Lynn Wheeler
September 15, 2005, 1:40 am
Re: Digital Singatures question
nist has secure hash standard .... basically computes a short-hand
representation of a document.
and the digital signature standard
the basic technology is asymmetric (key) cryptography; what one key
(of a key-pair) encodes, the other key (of the key-pair) decodes
(differentiates from symmetric key cryptography where the same key is
used for both encryption and decryption.
a business process is defined called public key; where one key is
designated as "public" and freely distributed and the other key is
designated as "private" and kept confidential and never divulated.
there is a business process called digital signature. somebody
computes the hash of a message/document and encodes the hash with
their private key to create a digital signature ... and then transmits
the message/document along with its digital signature.
the recipient recomputes the hash of the document, decodes the digital
signature with the appropriate public key and compares the two
hashes. if the two hashes are the same, then the recipient can
1) the document hasn't been modified since the digital signature
2) "something you have" authentication ... aka that the originator
has access to and use of the corresponding private key.
from 3-factor authentication model
* something you have
* something you know
* something you are
given that the key designated "private" is appropriately guarded, kept
confidential and never divulated ... then a digital signature
validated with the corresponding "public" key would only have
originating from the designated "private" key owner.
to further increase the integrity of digital signature operations,
hardware tokens can be used, where a public/private key pair is
generated inside the token, the public key is exported, and the
private key is never revealted. the hardware token is required to
perform digital signature operations (further strengthening the
integrity of the "something you have" authentication operation).
a straight-forward deployment is to take something like RADIUS ...
which is used by the majority of the world-wide ISPs for dial-up
customer authentication ... typically using password ... and
replace the registration of a shared-secret password
with a public key. Then instead of using password authentication,
where the client transmits the passowrd ... the client instead
computes a digital signature (using a defined message and the
corresponding private key). The server then validates the digital
signature with the registered public key (for "something you have"
authentication, in place of the password, shared-secret, "something
you know" authentication).
there was a business process created called PKI involving
certification authorities and digital certificates to address the
first time communication between strangers for the offline email
environment of the 80s (somewhat analogous to the "letters of credit"
from the sailing ship days). THe scenario involves somebody dialing up
their local (electronic) post office, exchanging email, and hanging
up. They then may be faced with handling first-time email from a
straonger ... having no local information about the person originating
the email and/or having any online access to authoritative source for
obtaining information about the originator.
A more detailed description of that scenario
http://www.garlic.com/~lynn/2005p.html#32 PKI Certificate question
Anne & Lynn Wheeler | http://www.garlic.com/~lynn /
Re: Digital Singatures question
Perhaps, Bruce Scheier's "Applied Cryptography" will be a good starting
point, though it's not very up to date any more, but offers an excellent
introduction to the topic, easy to read and easy to understand.
Also http://en.wikipedia.org/wiki/Cryptography is a good starting point.
A digital signature is a way to use asymmetric ciphers to virtually "sign"
data by having an hash over the data, which was encrypted with the private
key of someone, and can be checked then with the public key.
A cipher function is bijective, that means, you can revert it if you have
the right key, while a hash is not - quite the contrary, it has to be as
hard as possible to revert it ;-)
No. Ciphertext is, what you get out of your plaintext after you applied a
A message digest is some kind of checksum you can calculate using a
cryptographic hash function.
Please read the introductory links first, I gave you.
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
- » REVIEW: "Forensic Discovery", Dan Farmer/Wietse Venema
- — Previous thread in » General Computer Security