Question I dont understand. signing emails....

In the question below, Im becoming lost. This is a question from the practice test on this site.

1. Digital signatures for email messages are encrypted hash values that digitally sign the email to verify the sender. What is the signing part of the process?

a. Encrypting the message digest with someones private key
b. Encrypting the message digest with someones public key
c. Hashing the message with the systems private key
d. Hashing the message with the systems public key

Answer(s): a. Encrypting the message digest with someones private key

Explanation:
The actualy 'signing' of the message means that the message digest (the hash value) was encrypted with the sender's private key.

Where Im becoming lost is this. Are we talking about PGP here where the keys are exchanged with other users or in what instance is this done. I guess im lost because i dont understand how someone has someone elses private key. Is it just the wording throwing me off. Perhaps im just having an off day

[/b]

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Non-Profit Techie

After reading the technotes again, i can see where im becoming lost. I think i would have worded it that you sign the message by using YOUR or Senders private key to Encrypt the message.

I can see though, i still have a lot of learning to do

Technotes:

Digital Signatures

In addition to keeping message contents confidential, S/MIME offers sender authenticity, non-repudiation, and message integrity by adding a digital signature to a message. When a user signs a message, a hashing algorithm (MD5 or SHA-1) is used to create a message digest. This message digest is in turn encrypted with the sender’s private key by using an asymmetric algorithm (RSA or DSA).

When the recipient receives the message, he will use the sender’s public key to decrypt the message digest value. If the recipient is able to do this, the sender proved he is who he claims to be (authenticity), and because that person should be the only one with the private key, the recipient can prove that he received a message from that person, so the sender cannot deny sending it (non-repudiation). When the recipient decrypted the message digest value (or hash value), he will run the message through the same hashing algorithm and compare the outcome with the value in the digital signature. If the message digest values match, the message has not been tampered with during transmission (integrity), hence it proves the message is the exactly the same message the sender originally sent.

There are two different types of signing, opaque, and clear signing. With clear signing, the digital signature is added to the message as a separate attachment while the message itself remains in clear text. This may be required when sending a message to an older email client. With opaque signing, the message and the digital signature are combined into a single binary file. Signing a message does not mean it is encrypted, and encrypting a message does not require a digital signature.

• When a user sends an encrypted message, the recipient’s public key is used to encrypt the message. The recipient’s private key is used to decrypt the message.
• When a user signs a message, the sender’s private key is used to encrypt the message digest. The recipient uses the sender’s public key to verify the signature.

Vask3n

Yes, I got slightly hung on that question as well. Just remember:

To sign a message,

1. Obtain a hash of the message
2. Encrypt the hash
3. Attach the encrypted hash

Let me know if I can help you further.

Webmaster

Non-Profit Techie wrote:

After reading the technotes again, i can see where im becoming lost. I think i would have worded it that you sign the message by using YOUR or Senders private key to Encrypt the message.

I can see though, i still have a lot of learning to do

Sounds to me you're doing fine. But I see how the answer could easily be interpreted differently, as in someone else's private key. Though, you're not likely to have someone else's private key, and it does in a way represent the bad wording in the actual exam somewhat. Nevertheless, when I'm going to create the PDF versions of the TechNotes, I'm also going to update all questions again and then I'll reword the answers a bit.

rbowman

I dont know about rewording some of the questions. It is a good idea to kinda screw up a question because it is a CompTIA exam after all

and this makes for a great simulation of the exam.

Non-Profit Techie

rbowman wrote:

I dont know about rewording some of the questions. It is a good idea to kinda screw up a question because it is a CompTIA exam after all and this makes for a great simulation of the exam.

lol