Digital Signatures

in Security+
Digital Signatures and Hashing:
The sender hashes a message, encrypts the hash value with his private key, and then attaches this encrypted hash value to the plain text message and sends it to the receiver.
I'm not seeing where integrity comes into play here. If the message is sent in clear text what is stopping someone from modifying it?
The sender hashes a message, encrypts the hash value with his private key, and then attaches this encrypted hash value to the plain text message and sends it to the receiver.
I'm not seeing where integrity comes into play here. If the message is sent in clear text what is stopping someone from modifying it?
Bachelor of Computer Science
[Forum moderators are my friends]
[Forum moderators are my friends]
Comments
Hashing doesn't provide encryption so anyone can see the data and modify it. If the data is modified, however, the reciever will find this out when he performs his own hash of the message and realizes that his hash value does not equal that of the senders. Thus, the data has been modified and the integrity of the message is lost.
Does that sound right?
[Forum moderators are my friends]
but can you explain digital envelops
This was a site mentioned here on this forum that I checked out and it explains things really well.
It is the "hashing" that makes the integrity work... This is the process of PGP / SMIME digital signature (I think):
1.- user A writes message
2.- PGP compresses message text
3.- PGP calculates HASH value (aka message digest)
4.- PGP encrypts message digest with user A private key (aka digital signature).
5.- PGP attaches digital signature to original message.
6.- Mail sent!
7.- Mail received by User B
8.- digital signature is stripped from message
9.- steps 2 and 3 are peformed again
10. The message digest is encripted with user A public key
11. The original digital signature is compared with the one obtained in step 10...
12. If both are the same... the message wasn't modificed.
Remember that digital signature offers: integrity, authenticity and non-repudiation...
Encription offers: confiedentiality as well as integrity.
Hope it helps!
Although PGP uses privately issued public/private keys but S/MIME makes use of PKI and uses the reciever's public key.
The reason for using a symetric key for encrypting the actual message is to save on processing utilization. A new key is generated for each message. Since the key is much smaller than the message (typically), there's a whole lot less processing power needed to use asymetric encryption for the key than for the whole message.
I'll have to double check though which asymetric key PGP and S/MIME uses to encrypt the message key: senders' private, or receiver's public.
You are right... actually SMIME and PGP are called Hybrid systems because they use, as you say, symmetric encription for the data and public encription for the session key (the one used to encrypt the data).
If user A send to an encrypted mail to user B, user A has to use users B public key, so user B can decrypt it with its private key.
Cheers!