The digital signature can be compared to a traditional signature, and it is used in a similar way. When we want to verify that a message or a document has been sent by a certain entity, a digital signature can be used to provide that. It ensures that:
- Integrity: a message or document has been altered since it was sent
- Authenticity: the entity that has provided the message or document is indeed who they claim to be
- Non-repudiation: the entity that has signed the message can not deny the fact that they did so
Although a digital signature can be achieved by using symmetric cryptography, it is mostly based on asymmetric cryptography, which is known as public-key cryptography.
Before doing anything, we need to generate a key-pair. The signer will generate this key-pair and will keep the private key secret without sharing it with anyone else and will share the public key with the verifier.
Signing the document
When the signer wants to send a document to the verifier, it needs to generate a hash (using a chosen algorithm) from the message that they intend to send, which will be encrypted using the private key. The digital signature will consist of the document, the encrypted hash, the corresponding public key and the hash algorithm. The reason for encrypting the hash and not the document itself is because the resulting hash is much shorter than the entire message, which will save time and resources.
Verifying the document
In order to verify the authenticity of the document, the receiver needs to generate the hash of the message using the same algorithm, decrypt the resulting hash using the public key and compare this hash with the one that was included in the digital signature. If they match, then the digital signature was verified and we are sure that only the owner of the private key would be able to send this document.
Implementation example using Java
For this simple example we will use standard java security functionality, but for real case scenarios it is recommended to use a library that implements a greater range of functionalities and better implemented algorithms, Bouncy Castle for example.
- First of all we need to generate the keypair.
public static KeyPair generateKeyPair() throws Exception {
SecureRandom secureRandom = new SecureRandom();
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(RSA);
keyPairGenerator.initialize(2048, secureRandom);
return keyPairGenerator.generateKeyPair();
}
It uses a secureRandom class and a RSA algorithm to generate a public and private key.
- Then we can use the private key to sign an input and create the digital certificate.
public static byte[] createDigitalSignature(byte[] document, PrivateKey privateKey) throws Exception {
Signature signature = Signature.getInstance(“SHA256withRSA”);
signature.initSign(privateKey);
signature.update(document);
return signature.sign();
}
- In the end we can use the public key that was provided to check if the document is indeed sent by the entity we expect.
public static boolean verify(byte[] document, byte[] signatureToVerify, PublicKey key) throws Exception {
Signature signature = Signature.getInstance(“SHA256withRSA”);
signature.initVerify(key);
signature.update(document);
return signature.verify(signatureToVerify);
}
The use of digital certificate to sign documents
The digital certificate is issued by Certificate Authority (CA) to verify the identity of the certificate holder. It contains the public key used for the digital signature and guarantees the identity associated with the key. Specifically it means that in the process of digital signature, when someone provides a public key in order to verify if the document was signed by the original entity, it will also certify that the public key belongs to the specific organisation. The CA acts as the guarantee.
We can think of the digital signature as being used as a method of safely sending data as it is encrypted and it can not be altered, while the digital certificate is a way of verifying and confirming the identity of the entity that sent the data.
