tl;dr: What are digital signatures and what do they tell us, what information do they hold? All this and more are explained in this article.
When I talk about digital signatures here, I want to be clear I am not talking about a signature made by writing your signature with a stylus on a device. What I am talking about is a method using digital certificates from a trusted authority who have already taken the time to verify your identity via physical means.
I’ll start by explaining a couple of terms that you will need to understand before reading the rest of the article.
A hash is a mathematical algorithm to convert an arbitrary amount of data into a fixed length identifier. This algorithm is a one way process, so from a document you will always calculate the same hash but from a hash you cannot calculate the document content. A hash of one document should always be different from that of another document. The longer the hash the less risk of there being clashes.
A timestamp is a date and time including seconds in GeneralizedTime format which is an ASN.1 standard. This standard specifies that the date should be formatted using the following mask: YYYYMMDDHHMMSSZ so for example the 1st of May 2016 at 10 am precisely Greenwhich Mean Time would be 20160501100000Z.
Time Stamping Authority TSA
A TSA is an organization that is recognized to be a trusted third party and who are charged with issuing a timestamp which can be applied to a signature.
What is a digital signature?
A digital signature is in essence an encrypted hash of the content of a document. The hash being unique, is an identifier for the document in its current state. If the document changes so too would its hash, this allows us to know that the document has remained unchanged since being signed.
So now we have established how we can determine that a document is unchanged since it was signed but how do we know who signed the document? This is where the encryption comes in.
In a previous article I explained the concept of public key cryptography, something I omitted to mention in that article was that data encrypted with your private key can also be decrypted with your public key.
If you ask for a Certificate from a Certificate Authority they will require physical evidence of your identity and may also record biometric information as part of the certificate. With this certificate you will be give both a private and public key. This private key must be kept safe as it will be your key for opening files encrypted for you and also for signing documents.
So if you encrypt the hash with your private key this means that anyone that has your public key can decrypt the signature for verification and as it was created by a certificate authority it also means that they have some third party who can vouch for your identity.
In this way once the document has been hashed and signed we now know that it hasn’t been changed since signing and the identity of the person who signed it. We can verify this by hashing the document ourselves and comparing this to the hash of the document we retrieve by decrypting the signature with the signers public key.
So if I have a certificate I got from verisign after I supplied them with all the relevant information and then with the private key of that certificate I encrypt a hash of this article and sends it to you with my public key. You can then decrypt the signature to retrieve the hash of the article at the time of signing and compare that to a hash of the document you received.
This can be seen in the diagram below:
However we still haven’t established when it was signed. This requires us to use a reputable trusted third party or Time Stamp Authority to whom you pass a hash of the signature. They concatenate this with a timestamp which they then hash, again concatenate their timestamp and encrypt. This is sent back to us and we store this along with our original signature. This can be seen here:
So now we have an integrity check for the document, an identity of the signer and a proof of when the signature occurred. At this point we now have what is known as a non-repudiatable document. Assuming the certificate was not reported stolen prior to the signature then this document should be legally binding and that is as they say all there is to it.
In my next article in this series I will be talking about LDAP / Active Directory.