Digital Signatures
Just as you would sign a document to indicate to the receiver of your message that the message came from you, you can attach a digital signature to an electronic document to indicate that the message did indeed originate from you. A digital signature must be both unique to the sender and unique to the particular message so that it can be verified but not reused. For instance, if you were to send an email request to have your friend deposit $2000 to your account, you may attach a digital signature to your email request so that your friend can trust that the request did come from you and the account information included in the email is not altered
To generate a digital signature unique to the message and to the sender, the solution is to make the signature be a "hash code" for the plaintext message. A hash code is a numerical value computed from the plaintext in such a way that any change to the plaintext, even to just one character, will cause the hash code to change as well. For instance, say Bob is sending Alice a message and he is including his digital signature. To generate a digital signature, Bob would first generate a hash code of the message, and then encrypt the hash code using his private key to create a signature that is both unique to him and unique to that particular message. When Alice receives the message, she can use Bob's public key to decrypt the digital signature and see the hash of the message. She can then compute the hash of the message. If the two hash codes were the same, the message had not been altered. Otherwise, either the message was altered during transmission, or it was not really signed by Bob. Two popular hash code algorithms in use today are MD5 and SHA-1.
Let us now delve into how digital signatures work using public key encryption. Recall the discussion on public key encryption from 6.2.1 Encryption. To encrypt a message, the sender uses the receiver's public key. To decrypt the message, the receiver uses private key. To generate a digital signature, the encryption process using public and private keys are reversed. The sender uses the private key to encrypt the hash of the message to indicate that the message did originate from the sender, and the receiver would decrypt that data with the sender's public key. The message is genuine because only the sender has the private key to encrypt the data. The process for generating and verifying a digital signature is illustrated in the diagram below:
Figure 3 Using public key encryption to generate and verify digital signatures
The steps described in the diagram are as follows:
Sender:
1. Transform the entire message using a hashing algorithm to generate a hash of the message.
2. Generate the digital signature by encrypting the message hashed using the sender's private key.
Receiver:
1. Transform the entire message using a hashing algorithm to generate a hash of the message.
2. Decrypt the digital signature using the sender's public key.
3. Compare the message hashed, and the decrypted digital signature, which should be the same as the sender's message hashed. If these two hashes are the same, then the receiver can trust that the message was sent from the sender and that the message was not altered during transmission. Otherwise, the message may have been altered.
Digital signatures can be generated using PGP's digital signature feature. Some email clients also enable digital signature attachments to messages.
Keep in mind that attaching a digital signature verifies that the sender of the message is genuine and the message has not been tampered with. However, if the message you are sending is sensitive, you should also encrypt the entire message (along with your digital signature) with the receiver's public key. To read your message, the receiver would first decrypt the entire message along with the digital signature using the receiver's private key, and then use your public key to decrypt the digital signature. If the decrypted signature is the same has the hash code of the message, then the receiver can be sure that the message did come from you.