Digital Signatures

sir_creamy_

Digital Signatures and Hashing:

The sender hashes a message, encrypts the hash value with his private key, and then attaches this encrypted hash value to the plain text message and sends it to the receiver.

I'm not seeing where integrity comes into play here. If the message is sent in clear text what is stopping someone from modifying it?

sir_creamy_

Stupid question.

Hashing doesn't provide encryption so anyone can see the data and modify it. If the data is modified, however, the reciever will find this out when he performs his own hash of the message and realizes that his hash value does not equal that of the senders. Thus, the data has been modified and the integrity of the message is lost.

Does that sound right?

Non-Profit Techie

that about sums it up.

but can you explain digital envelops

Megadeth4168

http://www.youdzone.com/signature.html

This was a site mentioned here on this forum that I checked out and it explains things really well.

Danman32

Think of hashing as an encrypted checksum or even parity. The checksum or parity makes sure that the data hasn't been corrupted. We usually think of the checksum or parity to detect and perhaps even provide correction to unintentional corruption but if the checksum is protected from alteration or made secret, then it can protect data from intentional corruption as well. It's cheaper to encrypt only the checksum than the whole data stream if all you need is integrity.

agustinchernitsky

Hi All,

It is the "hashing" that makes the integrity work... This is the process of PGP / SMIME digital signature (I think):

1.- user A writes message
2.- PGP compresses message text
3.- PGP calculates HASH value (aka message digest)
4.- PGP encrypts message digest with user A private key (aka digital signature).
5.- PGP attaches digital signature to original message.
6.- Mail sent!
7.- Mail received by User B
8.- digital signature is stripped from message
9.- steps 2 and 3 are peformed again
10. The message digest is encripted with user A public key
11. The original digital signature is compared with the one obtained in step 10...
12. If both are the same... the message wasn't modificed.

Remember that digital signature offers: integrity, authenticity and non-repudiation...

Encription offers: confiedentiality as well as integrity.

Hope it helps!

Danman32

Actually PGP (and S/MIME) uses a symetric key for the encryption, then encrypts the symetric key with the private key and sends the encrypted key with the separately encrypted message.

Although PGP uses privately issued public/private keys but S/MIME makes use of PKI and uses the reciever's public key.

The reason for using a symetric key for encrypting the actual message is to save on processing utilization. A new key is generated for each message. Since the key is much smaller than the message (typically), there's a whole lot less processing power needed to use asymetric encryption for the key than for the whole message.

I'll have to double check though which asymetric key PGP and S/MIME uses to encrypt the message key: senders' private, or receiver's public.

agustinchernitsky

Hi Danman32,

You are right... actually SMIME and PGP are called Hybrid systems because they use, as you say, symmetric encription for the data and public encription for the session key (the one used to encrypt the data).

If user A send to an encrypted mail to user B, user A has to use users B public key, so user B can decrypt it with its private key.

Cheers!