Creating Digital Signatures

To properly understand this article, one needs to understand the different types of digital signatures. The first type of digital signature, also called an electronic signature, is what one may use to sign an online contract; it’s simply a signature signed by typing it out, writing it with a touchscreen, or uploading a photo to the contract. A common company that facilitates this is Docusign. This is one type of digital signature; the other is the focus of this article. This is called a cryptographic digital signature and is a method of proving the identity of the sender of a message as well as proving that a message hasn’t been altered in transition from the sender to the receiver. A digital signature, in this sense, is a combination of hash and public-key encryption that can be used to prove identity and the integrity of the message. Source @ securitymadesimple.org

For those familiar with cybersecurity, the image above should be familiar. This is known as the CIA triad, representing the three core cybersecurity principles. A cryptographic digital signature is related to the principle of integrity, which is all about ensuring that data is accurate and consistent over its lifespan. In this context, the focus is on making sure a message isn’t altered in transit from the sender to the receiver.

Another important aspect of a digital signature is non-repudiation, which means making sure that no one can perform an action and then deny that they did that. This is important from the investigative side of cybersecurity/cybercrime because one needs to track every potential malicious action back to an individual. If people can perform actions and later deny them because there is no proof of who did what within the company, the investigative process will be even more difficult. Keep these concepts in mind as we talk about what a cryptographic digital signature is in the sections below.

What is a cryptographic digital signature, and how does it work?

A cryptographic digital signature is used in important electronic communications to ensure data integrity and the sender's identity. If you receive a message from someone via email, normally, there’s no way to be sure that someone didn’t intercept that message, edit it, and then forward it, making it look like it came from someone else. For example, imagine a CEO sending a message to their assistant telling them to wire money to an account as part of business operations. If someone intercepted this message, they could easily change the instructions to wire money to their account. In scenarios like this, where thousands or millions of dollars are at stake, you need a means to both ensure that the message hasn’t been changed and confirm the identity of the person who sent it. That’s why these digital signatures are important.

How does it work?

Before we get started with actually creating a digital signature, the sender must create a public and private key pair and then share their public key with the recipient. This is a prerequisite for the process.

The first step in this process is for the sender, in this case, the CEO, to create a hash of the message. A hash is simply a value that uniquely corresponds to a text message. By using a hash algorithm, one inputs a block of text into the software and gets back a unique hash for that text block. The important thing here is that every hash value is unique to the message used to create it. If even one letter of a 10,000-word block of text is changed, it will result in a completely different hash value.

Next, once the CEO has the hash value, the next step is to use public-key cryptography to encrypt the hash value with the CEO’s private key. The encrypted hash value is an actual digital signature because it will prove that the CEO and no one else created this message. The CEO then attaches the digital signature to the message and sends it to the recipient.

Once receiving the message, the recipient can take the CEO’s public key, which is freely shared with people that the CEO trusts, and decrypt the hash value. If the CEO’s public key can decrypt the hash value, we can confirm that the CEO sent this because only the CEO would have the private key, which the public key can decrypt. Then the recipient takes the hash value (just decrypted) and runs the message through the same hash algorithm that the CEO used. If the hash generated is equal to the decrypted hash, that’s confirmation that the message has not been changed. This is because a change of one letter would result in a different hash value displayed when the hashes are calculated and compared. Source @ docusign

Recap

A cryptographic digital signature uses public-key encryption combined with hashing algorithms, providing a reliable means of ensuring that a message hasn’t been edited in transit and proving who sent the message. This is essential for maintaining the cybersecurity principle of data integrity and non-repudiation. Data integrity ensures that data remains accurate and consistent across its lifespan. At the same time, non-repudiation means ensuring that, once someone performs an action, they can’t deny that they were the one to perform that same action. The process of creating a cryptographic digital signature is roughly a four-step process. It begins with the sharing of the sender’s public key. Next, a hash is created for the message by the sender and encrypted with their private key. The message is then sent along with the encrypted hash to the recipient. Last, the recipient receives the message, decrypts the hash with the sender’s public key, and compares the decrypted hash with a hash that they create themselves. If the two hashes match, the recipient can be sure that the message hasn’t been edited in transit. The fact that the public key could decrypt the hash proves that the private key owner is the one who sent the message.