Why do we trust so much the communication in internet when we use HTTPS? Why are we so confident when we go to our banks's web site and see the green lock icon in the url bar of our browser indicating https? Normally the answer is - because HTTPS uses a certificate or because it has a digital signature... but what does that mean? How secure is that?
What is a Digital Signature?
A digital signature is an electronic, encrypted, stamp of authentication on digital information such as email messages, certificates or electronic documents. A signature confirms that the information has been originated from the signer and has not been altered. In other words, it provides authenticity and integrity. Let's break down all of this:
In general a digital signature is the hash of something encrypted with the private key of the signer. The signature is generated for a given data input. This data input can be a file, a document, a video... and also a certificate. The signature is always sent with the original content of the file it is signing.
So, when we log in to the web site of our bank or when we use a certificate for our favorite mule API to enable HTTPS this certificate contains two things:
- One, the main content of the certificate is the details of the subject/entity/sender. The domain or hostname, the validity, serial number and the public key of the subject (not the issuer).
- And two, the digital signature - For that, first we calculate the hash of the certificate's content and encrypt it with the public key of a Certificate Authority (the issuer, not the subject)
- The last part is very important: When we create a certificate we provide all the details of the cert and then, to get it signed, we send a cert signing request to a Certificate Authority. The CA will validate the content. This means the CA will verify that you are who you claim to be - for example, if you're requesting a certificate for mycompany.com, the CA will verify you're the owner of that domain (among other things). If the verification is successful, the CA will sign the certificate, that is, will get the hash and then will use the private key of CA to encrypt it. The result is the digital signature that will be sent back to us so that we can add the signature to our certificate, as a prood of our identity and also with a hash that allows users verify that the content of the certificate is exactly the content that the CA has verified.
How can a receiver verify a Digital Signature?
Let's see in detail how a receiver can verify authenticity and integrity. Here are the steps, in a communication between sender and receiver exchanging a document, with a digital signature.
- The sender wants to send a certificate signed by a CA
- As we've just explained, the certificate will contain the details of the certificate and the digital signature.
- Certificate and digital signature are sent to the receiver.
- On the other side, once received the certificate, the receiver first decrypts the signature and gets the hash. For this it uses the public key. The public key is, at it states, public - meaning that the receiver knows the Certification Authority and has already the public key of that CA. With that, the receiver will get a hash.
- Next, the receiver calculates the hash of the certificate (the content, without the digital signature) separately using the same hashing algorithm. How does the receiver know the hashing algorithm? It’s in plain text in the certififcate details.
- Then the receiver compares the two hashes. The one created hashing the content and the one decrypted coming from the sender. This process is called signature verification.
- If both hashes match then the signature is correct. If not the certificate and the communication will be rejected.
What does a Digital Signature provide in terms of security?
So, following our example with a certificate, at this point, three things have been verified:
- Authenticity - The digital signature's content can only be provided from the CA. Only the public key of the CA can decrypt that digital signature. And the content proves you're who you claim to be in the certificate details.
- Integrity - Comparing the two hashes we provide a mechanism to guarantee the content of the certificate has not been tampered.
- In addition, digital signatures also provide what we call Non- repudiation. Non-repudiation means the signer cannot deny the signing of the document after the signature is created
One last thing: Digital signatures alone cannot identify the sender, the entity that created the signature. That must be done in combination with a digital certificate. It’s the digital certificate what binds an identity with a pair of public/private keys