A low-down on... Digital Signatures

 

Gallery

Posted on 17 Sep 2001 at 17:07

She may not be alone in believing that effective Internet privacy legislation could help revitalise online business, but the co-operation that would be required between rival companies has not yet been shown. Microsoft, in particular, has attracted criticism for its possible handling of personal data by its own Passport system.

A number of companies have consequently stepped into the commercial space and provide a number of third-party trust services. BT's Ignite, for example, which is a global affiliate of VeriSign, provides a number of trust services, including the provision of encryption and digital signatures for e-mails.

What exactly is a digital signature?

A brief definition would be that a digital signature is an electronic value that can verify the identity of the sender of a message. Furthermore, the system that supports the use of a signature can also detect whether the message has been tampered with or altered in any way, allowing the recipient(s) to verify its integrity and origin.

When it comes to explaining digital signatures in more detail, you have to dip your toes into the world of encryption and asymmetric cryptography. You become involved with the PKI (public key infrastructure) and the use of public and private "keys". These are complementary special codes that, when used together, can support an effective encryption scheme. Basically, a widely distributed public key is used to encrypt data for transmission and an equivalent private key - which is known only by the recipient and should not be shared - can be used to decode it.

In these terms, a digital signature is a code created with a private key and this same code allows the authentication of any signed information by a complementary process of signature verification. The value used, furthermore, can be unique to both the contents of the message and your private key.

Anyone who has access to your public key - which is intended to be made publicly available, remember - will be able to use it to verify your signature. Your signature is created by running the public key's partner secret key across the contents of the message.

PGP

A commonly-used system for encrypting and signing data at a personal level is PGP (Pretty Good Privacy). This software, which is available both as freeware and as a commercial version, was developed by Philip Zimmermann back in the early nineties.

Metaphors of locks are often used to explain the use of these values known as "keys". When a document is encrypted - or locked - it is done in a particular way that can be unencrypted, or unlocked, only by the special secret "key". So far so good. You write an e-mail, for example, you encrypt it and the recipient decodes it, using a particular key to reveal its true content from the apparent nonsense-text that would appear to onlookers.

The only counter-intuitive point is that you have to use the public key of the person you are communicating with when encoding, not your own. This is because the recipient has to decode the message, and if they had access to your secret (or private) key they could access all your private data. It makes sense that the recipient has his own "private key" to decrypt communication encrypted with their public key. That way he or she can make the public key freely available without compromising security.