Digital Signatures

Unlike paper documents, digital documents - such as Word documents and e-mail messages - have little to vouch for their authenticity and integrity. For example, e-mails do not have the identifying components that are found in a letter, such as letterhead, address of the recipient, date and traditional hand-written signature. It is also easy to forge message headers so that they appear to come from someone else. In this environment there are circumstances when it is important for the recipient to be confident that the message has come from the person who seems to have sent it, and also that it has not been altered in transit. With the growing use of attachments to distribute information, it has become more important to be able to identify the sender of an e-mail message. The risk of viruses from attachments means that people will only want to open attachments from a trusted source.

The traditional concept of a signature is of any mark made with the intention of authenticating the marked document, but a digital signature is designed to serve the same purposes as a traditional hand-written signature. Digital signatures are produced from a combination of something unique to the person signing (a person’s Private Key) and something unique to the document being signed (a digital digest of its contents). Each signature is therefore unique to the document to which it relates.Traditional hand-written signatures are impossible to steal but easy to forge. Unlike traditional signatures, digital signatures are nearly impossible to forge but the keys used in signing may, if not properly looked after, be stolen or misused.

Digital signatures are created using Public Key cryptography. A user generates a pair of keys, known as the Public Key and the Private Key, using Public Key cryptography software such as PGP (Pretty Good Privacy). Private Keys are used in signing and are held securely by individuals so that no-one else can use them on their behalf. Public Keys are used for checking the signature and must therefore be made freely available to anyone who might wish to verify the signature. Whilst the Public and Private Keys are related, it is impossible to generate the Private Key (to which only the signatory has access) from the corresponding Public Key (to which everyone else has access). The Private Key is used to sign an electronic document. The signatory puts the document through a special function (the software does this automatically) which produces a unique summary of it, called a message digest. This digest is then encrypted with the Private Key to produce the digital signature. The original document and signature are sent to the recipient who uses the sender’s Public Key to verify the signature. Any alterations, however small, to the file will result in a different digest, which will result in the signature not verifying, and of course if the private and Public Keys do not match the signature will not verify either.



Copyright ©2004 digimedium.com	Home About Us Thesis Articles Digital Art Blog Contact