This post is from my series of short essays on cybersecurity.

In the last post – Message Authentication Code (MAC) – Assurance against message tampering, I discussed how adding a Message Authentication Code (MAC) addresses the message integrity and provides a guarantee to both parties that the message is not tampered since its formation.  That post mentioned that MAC codes provide no protection against repudiation and both sender and receiver should build trust in advance, because the same key is required for encrypting and decrypting the message. To address non-repudiation we need a mechanism where an authorized person can perform action and everyone else should only have the ability to verify it. That is exactly the role of digital signature in the digital world. Digital signature addresses both authenticity and non-repudiation. Receiver of the message can verify who the sender is and confirm that the message is not tampered. The sender can’t deny that he/she authorized the message. Digital signature provides a level of authentication similar to MAC, but uses the magic of public-key encryption. Public key encryption, also known as asymmetric key cryptography introduced in 1976, since then it became the heart of a number of message exchange and authentication protocols. Several new algorithms were introduced over the period, but the overall principle remains the same – a corresponding pair of keys is generated, knowing one key will not allow the owner to find or guess the corresponding key of the pair, a message encrypted from the one key of the pair can only be decrypted by its corresponding key. I am leaving the discussion of mathematical magic of asymmetric key cryptography for another future post. Here we will discuss how public key cryptography is beautifully used in digital signature.

Idea is simple: the message sender owns a pair of public-private keys, the public key is made available to anyone who needs to verify the signature, but the private key is the secret only known to the sender. The sender generates the signature using the private key, anyone who has the public key can verify the signature. Digital signature is simply a large integer value, typically a string of 2048. Signature itself has no meaning, it is only meaningful with the attached message. In its simplest form, you can think of the signature as a MAC code encrypted with the sender’s private key. Anyone who has a corresponding public key can decrypt the signature and extract the MAC code, evaluate MAC code locally from message content and match with the one that is decrypted from the signature. Decryption of signature using corresponding public key guarantees that only the owner of the private key has generated the signature, local MAC code matching with the one decrypted from signature guarantees that message is not tampered after signature is generated. Following diagram from “Digital Signature Standard (DSS) – FIPS PUB 186-4” illustrate the signature generation and verification process.

There are several algorithms developed for digital signature, Three techniques DSA, ECDSA and RSA.are defined by NIST in FIPS 186-4, Digital Signature Standard (DSS) that was published in 2013. In a future post I will discuss how hard mathematical problems – integer factorization, discrete logarithms, or elliptic curves – are exploited for asymmetric key cryptography. 

Please also note that the authenticity of the signature depends on the authenticity of the public key that is used to verify the signature and secrecy of the private key. If any one of them – the authenticity of the public key or secrecy of the private key is compromised, the digital signature will become meaningless. Guaranteeing authenticity using public key infrastructure and maintaining the secrecy of private keys at source are two interesting problems, each of them requiring a separate post. 

Everyone must have experienced the digital signature in action when they downloaded a software update on their mobile devices, the device validates that the downloaded patch is authentic by validating that it comes with the signature from the original vendor. Digital signature is not only the foundation of several authentication protocols on internet protocols, but now also accepted as legal authorization proof in most of the world. That means an electronic contract that is digitally signed has the same legal binding as in the traditional analog world. International acceptance of digital signatures has also gained momentum in recent years. Think how many documents you digitally signed in the last 5 years, you can find them ranging from property agreements, job acceptance letters, service agreements etc.