we-coffee logo
 
Skip Navigation LinksHome | Knowledge | Digital Signature


Digital signature and Public Key Infrastructure (PKI)

 
 

1. Introduction to Digital Signature

Modern cryptographic systems utilize the so called asymmetric cryptography, technique based on a keys pair that permits encryption and decryption of confidential data. If data are encrypted with one of the two key, the same can be recovered by utilizing the second one.

The two keys are named private key and public key. The private key must be keep secure by the keys owner that want to share data, the public key must be delivered to all the entities that want to access those data.

The data owner, saying A, can achieve two different goals when utilizing the asymmetric cryptography.

A can send its (its and not his, because A can be a person but even some kind of system) public key to a second entity , saying B, and asks to it to utilize this key for the encryption of some kind of data that A would want to receive. When B send those encrypted data to A, only A can read them, being the only entity that keeps a copy of the private key related to the public key sent. This method is useful when an entity would want to be sure that certain data can be read only by itself. It does not guarantee that the data received come effectively form B, being the public key public available.

A second method sound like this: A can encrypt its data with its private key and send those data to a second entity B, adding to them its public key. With the aid of the public key, B can decrypt the data and understand the content sent by A. In these case the method guarantees that the data that B receive come exclusively form A, being A the only entity that has the private key corresponding to the public key received by B.

In the second case, in conjunction with hash algorithms (encryption operates on the hashed data), we say that A digitally signed its data. This method is referred as Digital Signature.

In real scenario, moreover, things are not so trivial. Can B be sure that the data that it received was sent effectively from A ? Suppose that some third entity, saying C, signs malicious data with its private key and sends them to B with the related public key. How can B distinguish good data sent by A from malicious ones sent by C ?

A mechanism that makes B sure about the authenticity of the public key that it received is required. If the public key is the real A's public key, then the data received come surely from A.

The solution is to combine the public key of A with an identifier for A itself (for example the A's name or e-mail address if A is a person or the A's IP address if it is a network machine). Doing that, the so called Digital Certificate is obtained.

 
 
 

See Also

ITU-T Site dedicated to X509 : Site where you can find the X509 specification for the PKI cryptosystem. Standards are free to download.

IETF PKIX Working Group : Site where you can find the IEFT working group for implementation of the Public Key Infrastructure. Standards are free to download.

NIST - FIPS Publications : Official National (USA) Institute of Standards And Technology that contains the specifications (FIPS – Federal Information Processing Standards) of most of the today wide utilized cryptographic algorithms.

 
up up