Digital Signature and Digital Certificate
For security’s sake, most web applications use digital signatures to sign documents transmitted over the Internet. A digital signature on an e-document serves as a guarantor of data origin and integrity. Digital signature technology grew out of public key cryptography (asymmetric encryption algorithms, like RSA, Diffie-Hellman). In public key cryptography, you have two keys: a private key and a public key. When you send a document to someone, you use your private key to sign the document. When recipients receive the signed document, they use the sender's public key to authenticate the document.
Suppose you want to send a digitally signed document. After you create the document, you pass it through a message hash algorithm. The algorithm generates a hash of the document that is a checksum of the contents of the document. You then encrypt the message hash with your private key. The result is a digital signature.
The recipient passes the document contents through the same message hash algorithm that you used, and creates a new hash. At the same time, he uses your public key to decrypt your digital signature, thereby converting the signature to the original hash. The recipient then compares the newly generated hash and the original hash. If the hashes match, the recipient can be sure that the document he received is really from you and that no one altered it during transmission. If the hashes don't match, the recipient knows that tampering or a transmission error changed the document contents.
In addition, if it is necessary to protect the document from unauthorized access when it is transmitted over the Internet, the document should be encrypted with the public key. And only the recipient will be able to decrypt it with his private key. Thus, public keys must be transmitted unaltered.
Before users who receive documents from you can verify your digital signature, they must have a way of knowing that your public key is genuine. Without assurance that a public key is legitimate, trusting whether a signed document and its accompanying public key are from the purported sender can be risky.
There is the so-called public key third-party trust model. The third-party model introduces the Certificate Authority (CA). A CA is a trustworthy organization that certifies public keys. CAs certify public keys by issuing users a digital certificate that contains the user's identity, public key, and key expiration date. Issue of digital certificates is regulated by X.509 standard
It should be mentioned that you can store a certificate with public key (hereinafter, the digital certificate) on your computer together with your certificate with the private key (personal digital certificate). When used with e-mail programs, security certificates with private keys are also known as "digital IDs".
|