What is digital signature?
A digital signature is a cryptographic mechanism that performs a similar function to a written signature. It is used to verify the origin and contents of message. Digital signatures are used for sender’s authentication. In addition, a digital signature enables the computer to notarize the message, ensuring the recipient that the message has not been forged. Digital signatures are implemented using public key encryption. The digital signature is an encrypted digest of the file (message, document, driver, program) being signed. And a digital signature is impossible to forge. Instead, the digital signature comes from a digest of the text encrypted and sent with the text message. The recipient decrypts the signature and retrieves the digest from the received text. A match authenticates the message. Digital signatures are required for open system and higher security levels. An electronic signature that authenticates the identity of the sender ensures the original content of the message is unchanged, is easily transportable, cannot be easily repudiated, cannot be imitated, and can be automatically time-stamped. Digital signatures are often used to implement electronic signatures, a broader term that refers to any electronic data signatures. An electronic signature is a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature. They are the electronic equivalent to handwritten signatures on paper and may be based on biometric identification methods or facial and voice recognition. A simple combination of a user ID and password also is sufficient. Within a company, the user ID must be unique to a specific person. A digital signature ,not to be confused with a digital certificate, is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and possibly to ensure that the original content of the message or document that has been sent is unchanged. Digital signatures are easily transportable, cannot be imitated by someone else, and can be automatically time-stamped. The ability to ensure that the original signed message arrived means that the sender cannot easily repudiate it later. A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit. Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery or tampering.
Digital signatures are often used to implement electronic signatures, a broader term that refers to any electronic data that carries the intent of a signature, but not all electronic signatures use digital signatures. In some countries, including the United States, India, and members of the European Union, electronic signatures have legal significance. However, laws concerning electronic signatures do not always make clear whether they are digital cryptographic signatures in the sense used here, leaving the legal definition, and so their importance, somewhat confused.
Digital signatures employ a type of asymmetric cryptography. For messages sent through a no secure channel, a properly implemented digital signature gives the receiver reason to believe the message was sent by the claimed sender. Digital signatures are equivalent to traditional handwritten signatures in many respects; properly implemented digital signatures are more difficult to forge than the handwritten type. Digital signature schemes in the sense used here are cryptographically based, and must be implemented properly to be effective. Digital signatures can also provide non-repudiation, meaning that the signer cannot successfully claim they did not sign a message, while also claiming their private key remains secret; further, some non-repudiation schemes offer a time stamp for the digital signature, so that even if the private key is exposed, the signature is valid nonetheless. Digitally signed messages may be anything represent able as a bit string: examples include electronic mail, contracts, or a message sent via some other cryptographic protocol.
According to Section 2 (1) of Information and Communication Technology Act, 2006 “digital signature” means data in an electronic form, which ─
(a) is related with any other electronic data directly or logically; and
(b) is able to satisfy the following conditions for validating the digital signature ─
(i) affixing with the signatory uniquely;
(ii) capable to identify the signatory;
(iii) created in safe manner or using a means under the sole control of the signatory; and
(iv) related with the attached data in such a manner that is capable to identify any alteration made in the data thereafter.The ICT Act allows a person to satisfy a legal requirement for a manual signature by using an electronic communication that contains a method that identifies the person and indicates their approval of the information communicated. The legislation provides flexibility for people and business to determine the signature technology that is appropriate to their particular needs. Like a written signature, the purpose of a digital signature is to guarantee that the individual sending the message really is who he or she claims to be.
How digital signature works
In the first step of the process, a hash-value of the message (often called the message digest) is calculated by applying some cryptographic hashing algorithm (for example, MD2, MD4, MD5, SHA1, or other). The calculated hash-value of a message is a sequence of bits, usually with a fixed length, extracted in some manner from the message.
All reliable algorithms for message digest calculation apply such mathematical transformations that when just a single bit from the input message is changed, a completely different digest is obtained. Due to this behavior, these algorithms are very steady in crypt analytical attacks; in other words, it is almost impossible, from a given hash-value of a given message, to find the message itself. This impossibility for retrieval of the input message is pretty logical if we take into account that a hash-value of a message could have a hundred times smaller size than the input message. Actually, the computing resources needed to find a message by its digest are so huge that, practically, it is unfeasible to do it.
In the second step of digitally signing a message, the information obtained in the first step hash-value of the message (the message digest) is encrypted with the private key of the person who signs the message and thus an encrypted hash-value, also called digital signature, is obtained. For this purpose, some mathematical cryptographic encrypting algorithm for calculating digital signatures from given message digest is used. The most often used algorithms are RSA (based on the number theory), DSA (based on the theory of the discrete logarithms), and ECDSA (based on the elliptic curves theory). Often, the obtained digital signature is attached to the message in a special format to be verified later if it is necessary.
After verifying digital signature, the digital signature technology allows the recipient of given signed message to verify its real origin and its integrity. The process of digital signature verification is purposed to ascertain if a given message has been signed by the private key that corresponds to a given public key. The digital signature verification cannot ascertain whether the given message has been signed by a given person. If we need to check whether some person has signed a given message, we need to obtain his real public key in some manner. This is possible either by getting the public key in a secure way (for example, on a floppy disk or CD) or with the help of the Public Key Infrastructure by means of a digital certificate. Without having a secure way to obtain the real public key of given person, we don’t have a possibility to check whether the given message is really signed by this person.A digital signature works by creating a message digest which ranges from between a 128-bit and a 256-bit number which is generated by running the entire message through a hash algorithm. This generated number is then encrypted with the senders private key and added to the end of the message.
When the recipient receives the message they run the message through the same hash algorithm and generate the message digest number. They then decrypt the signature using the sender’s public key and providing the two numbers match they know the message is from who it says it’s from AND that is has not been modified.Digital signatures rely on certain types of encryption to ensure authentication. Encryption is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. Authentication is the process of verifying that information is coming from a trusted source. These two processes work hand in hand for digital signatures. According to section 5 of the ICT Act, 2006 there are following methods authentication of electronic records by digital signature ─
(i) any subscriber may authenticate an electronic record by affixing his
digital signature.
(ii) the authentication of electronic record shall be effected by the use of technology neutral system or standard authentic signature generating machine or strategy.
Functions of digital signature
A digital signature scheme typically consists of three algorithms:
(i) A key generation algorithm that selects a private key uniformly at random from a set of possible private keys. The algorithm outputs the private key and a corresponding public key.
(ii) A signing algorithm that, given a message and a private key, produces a signature.
(iii) A signature verifying algorithm that, given a message, public key and a signature, either accepts or rejects the message’s claim to authenticity.
Two main properties are required. First, a signature generated from a fixed message and fixed private key should verify the authenticity of that message by using the corresponding public key. Secondly, it should be computationally infeasible to generate a valid signature for a party who does not possess the private key. Below are some common functions of digital signature:
Authentication
Although messages may often include information about the entity sending a message, that information may not be accurate. Digital signatures can be used to authenticate the source of messages. When ownership of a digital signature secret key is bound to a specific user, a valid signature shows that the message was sent by that user. The importance of high confidence in sender authenticity is especially obvious in a financial context. For example, suppose a bank’s branch office sends instructions to the central office requesting a change in the balance of an account. If the central office is not convinced that such a message is truly sent from an authorized source, acting on such a request could be a grave mistake.
Integrity
In many scenarios, the sender and receiver of a message may have a need for confidence that the message has not been altered during transmission. Although encryption hides the contents of a message, it may be possible to change an encrypted message without understanding it. (Some encryption algorithms, known as nonmalleable ones, prevent this, but others do not.) However, if a message is digitally signed, any change in the message after signature will invalidate the signature. Furthermore, there is no efficient way to modify a message and its signature to produce a new message with a valid signature, because this is still considered to be computationally infeasible by most cryptographic hash functions (see collision resistance).
Non-repudiation
Non-repudiation, or more specifically non-repudiation of origin, is an important aspect of digital signatures. By this property an entity that has signed some information cannot at a later time deny having signed it. Similarly, access to the public key only does not enable a fraudulent party to fake a valid signature.
Secure digital signature
According to section 17 of the ICT Act, 2006, if, by application of a security procedure agreed to by the parties concerned, it can be verified that a digital signature, at the time it was affixed, was ─
(a) unique to the person affixing it;
(b) capable of identifying the person affixing it; and
(c) created in manner or using a means under the sole control of the person affixing; then such digital signature shall be deemed to be a secure digital signature as per sub-section
(2) Despite the fact of sub-section (1), the digital signature would be invalidated if the electronic record was altered relating to this very digital signature.Use of electronic records and electronic signatures in Government and its agencies
According to section 8 of the ICT Act, 2006
Where any law provides for ─
(a) the filing of any form, application or any other document with any office, authority,
body or agency owned or controlled by the appropriate Government in a particular
manner;
(b) the issue or grant of any licence, permit, sanction, approval or order by whatever name called in a particular manner;
(c) the receipt or payment of money in a particular manner;
then, notwithstanding anything contained in such law, filing, issue, grant of the document and
receipt and payment of money, as the case may be, is effected by means of prescribed electronic form.
(2) The manner and format in which such electronic records shall be filed, created or issued
and the manner or methods of payment of any fee or charges for creation and filing shall be fixed by the rules for fulfilling the purposes of this section.
Digital signature, encryption & decryption
Encryption is a means of encoding information and communications to make them secure, so that they cannot be decoded and read or decrypted without a special key. Encryption can be used for a number of different purposes to help secure the data held on, or transmitted by, a computer system:
(i) Messages being sent over the Internet can be encrypted to prevent anyone other than their intended user reading them;
(ii) Messages can be routinely ‘signed’, using a digital signature based around encryption; so that it can be proven that the source of the message is authentic;
(iii) Information on a computer disk can be encrypted to prevent others having access to it, for example if the computer or disk is stolen, without the private key; and
Encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as cipher text). In many contexts, the word encryption also implicitly refers to the reverse process, decryption (e.g. “software for encryption” can typically also perform decryption), to make the encrypted information readable again (i.e. to make it unencrypted).
Encryption has long been used by militaries and governments to facilitate secret communication. Encryption is now commonly used in protecting information within many kinds of civilian systems. For example, the Computer Security Institute reported that in 2007, 71% of companies surveyed utilized encryption for some of their data in transit, and 53% utilized encryption for some of their data in storage.[1] Encryption can be used to protect data “at rest”, such as files on computers and storage devices (e.g. USB flash drives). In recent years there have been numerous reports of confidential data such as customers’ personal records being exposed through loss or theft of laptops or backup drives. Encrypting such files at rest helps protect them should physical security measures fail. Digital rights management systems which prevent unauthorized use or reproduction of copyrighted material and protect software against reverse engineering (see also copy protection) are another somewhat different example of using encryption on data at rest.
Encryption is also used to protect data in transit, for example data being transferred via networks (e.g. the Internet, e-commerce), mobile telephones, wireless microphones, wireless intercom systems, Bluetooth devices and bank automatic teller machines. There have been numerous reports of data in transit being intercepted in recent years. Encrypting data in transit also helps to secure it as it is often difficult to physically secure all access to networks.
Encryption, by itself, can protect the confidentiality of messages, but other techniques are still needed to protect the integrity and authenticity of a message; for example, verification of a message authentication codes (MAC) or a digital signature. Standards and cryptographic software and hardware to perform encryption are widely available, but successfully using encryption to ensure security may be a challenging problem. A single slip-up in system design or execution can allow successful attacks. Sometimes an adversary can obtain unencrypted information without directly undoing the encryption.
Encryption is the manipulation of data, based on a password (also known as a key), for security purposes. Once your data has been encrypted, a person cannot make sense of your data without knowing the password (or figuring it out). For example, if we take HAL and add 1 to each of the letters, we get IBM. In this case, the password is simply “1”. If we use “123456” as our password, then we add 1 to the first letter, 2 to the second, …, 6 to the sixth, then we start over at 1 and add 1 to the seventh letter. Now our encrypted data is, “ICN”. To decrypt, the password “123456” is “subtracted” from our data.
Sophisticated software can make intelligent guesses of the password to decrypt data. One easy way is with a database of common passwords. A more difficult way is by analyzing the encrypted data. If you know the decrypted data starts with 20 spaces, and then you subtract 20 spaces from the data, you will get “12345612345612345612” if the password was “123456”. A longer password makes it more difficult to decrypt the data without knowing the password.
Another way security could be breached is if someone were to tap into a transmission. The Internet is a worldwide network of computers. If you were to send unencrypted data across the Internet, someone may be able to view the data if they operate a part of the Internet your data must pass through. This is why you should not send credit card information over the Internet unless you use “Secure mode”. Each web browser has its own way of letting you know that it is in secure mode. Check the help system of your web browser for more information.
With an understanding of how documents can be encrypted, we can look at how to “sign” a document using a digital signature. This is very different than a scanned signature that merely attaches an image of any written signature to a document or email. An encrypted document does three things.
1. It guarantees that the document was actually sent by the sender.
2. It guarantees that the document wasn’t modified in route.
3. It guarantees that no one else can read the document.
For a lot of communication, item three isn’t necessary or even desired. For example, if I want to send a message out to 25 people, chances are pretty high that it isn’t extremely confidential. In fact, sending a separate message to each person encrypted with their public key might be quite a burden. However, I still may want each recipient to be guaranteed that the document came from me and that it wasn’t modified in transit–we want to put a digital signature on it that says guarantees who sent it and that it wasn’t modified.
Outside of signed email, I may want to post a message on a website that can be read by the world where anyone can check to make sure that the message hasn’t been changed from when I wrote it and confirm that it was truly written by me. A slightly different example of this is when a company posts a piece of software or a patch for existing software. The people who will download it want some way to know that they are getting a legitimate file and not a virus that was posted by hackers to trick people.
This is where signing a document (or file) comes into play. Signing a document (applying your digital signature to it) guarantees the first two items on the list, but does it in a way that allows anyone to read it. People can verify your digital signature without getting a digital ID or digital certificate for themselves.
Discussion about this post