In an increasingly digital world, the need for secure and trustworthy communication, transactions, and document management is paramount. A digital signature is an asymmetric cryptosystem in which a sender uses a secret signing key (the private key) to calculate a value for a digital message (i.e., any data). This value allows anyone to check the indisputable authorship and integrity of the message using the public verification key (the public key). In order to be able to assign a signature created with a signature key to a person, the associated verification key must be unambiguously assigned to that person. Digital signatures serve as a cornerstone of modern cybersecurity, enabling individuals and organizations to authenticate the integrity and origin of electronic documents and messages.
Digital signatures can be used to create secure electronic signatures. However, the terms digital signature and electronic signature are not the same in content: first, electronic signatures (at least basic and advanced) do not necessarily have to be based on digital signatures; secondly, digital signature is a mathematical or technical term, while electronic signature is a legal term.
The Concept of Digital Signatures
Similar to handwritten signatures on paper documents, digital signatures provide a way for individuals or entities to sign electronic files, ensuring that the contents have not been altered or tampered with since the signature was applied.
---
The signature is calculated from the data to be signed and the private signature key by means of a unique calculation rule. Different pieces of data must almost certainly result in a different signature, and the signature must yield a different value for each key. In deterministic digital signature methods, the digital signature is uniquely defined by the message and the key, while in probabilistic digital signature methods, random values are included in the signature calculation, so that the digital signature for a message and a key can take on many different values.
In a digital signature, the private key is usually applied not directly to the message, but to its hash value, which is calculated from the message using a hash function (such as SHA-1). To prevent attacks, this hash function must be collision-resistant, i.e., it must be virtually impossible to find two different messages whose hash value is identical.
If the public key has been assigned to a person by means of a digital certificate, the identity of the signature creator can be determined or verified via the public directory of the Certification Service Provider (ZDA) due to the fact that there is only one private key corresponding to the public key. The entirety of the technical infrastructure with which the certificates and information on their validity are generated and made publicly available is referred to as PKI (public key infrastructure).
A common misconception is that signing is encryption with the private key of an asymmetric encryption method. This assumption stems from the fact that this is indeed the case with a naïve and insecure variant of RSA, namely “Textbook RSA”. However, this is never the case with secure variants of RSA (e.g., RSA-FDH, RSA-PSS, RSA-OAEP), despite certain similarities in details. In other encryption and signature methods, there are usually at most very superficial similarities.
Usually digital signatures uses two types of system – PGP and certificate based system.
How Digital Signatures Work
To create a digital signature, the signer first generates a hash value of the document using a secure hash function. This hash value serves as a unique representation of the document’s contents. The signer then encrypts the hash value using their private key and generates the digital signature. The digital signature, along with the original document, can be transmitted electronically to the recipient.
Upon receiving the digitally signed document, the recipient uses the signer’s public key to decrypt the digital signature, revealing the original hash value. The recipient independently calculates the hash value of the received document using the same hash function used by the signer. If the calculated hash value matches the decrypted hash value from the digital signature, the recipient can verify that the document has not been altered since it was signed and that the signature is authentic.
Importance of Digital Signatures
Digital signatures ensure the integrity of electronic documents by providing a means to detect any unauthorized modifications or tampering. It authenticates the identity of the signer, allowing recipients to verify the origin and authenticity of the signed document.
Digital signatures provide non-repudiation, meaning that signers cannot deny having signed a document once the signature has been applied and verified. In many jurisdictions, digital signatures carry legal validity and are recognized as legally binding signatures for electronic transactions and contracts.
Example of Generating a Digital Signature From the Command Line
Generating a digital signature from the command line typically involves using cryptographic tools or libraries that support digital signature generation and verification. One common tool for this purpose is OpenSSL, which is widely available on Unix-like operating systems and also available for Windows. Below are the general steps to generate a digital signature using OpenSSL on the command line:
Before you can generate a digital signature, you need a key pair consisting of a private key for signing and a public key for verification. You can generate a key pair using OpenSSL with the following commands:
1 2 3 4 5 | # Generate a private key openssl genpkey -algorithm RSA -out private.pem # Extract the public key from the private key openssl rsa -pubout -in private.pem -out public.pem |
This will create two files: private.pem containing the private key and public.pem containing the corresponding public key.
Next, create a message that you want to sign. This could be any text file or binary data that you want to authenticate. For example, we have created a message.txt file:
1 2 3 4 5 | # create a text file touch message.txt # write or paste something nano message.txt |
Use the private key to sign the message and generate the digital signature:
1 | openssl dgst -sha256 -sign private.pem -out signature.bin message.txt |
Replace private.pem with the path to your private key file, signature.bin with the name of the output file for the signature, and message.txt with the path to your message file.
To verify the signature using the public key, use the following command:
1 | openssl dgst -sha256 -verify public.pem -signature signature.bin message.txt |
Replace public.pem with the path to your public key file, signature.bin with the name of the signature file, and message.txt with the path to your message file. If the signature is valid, OpenSSL will output Verified OK.
Note: In real life, ensure keeping your private key secure and do not share it with anyone. The public key can be shared freely for signature verification.
There are other cryptographic tools and libraries available that offer similar functionality.
