I. Digital Signature
A digital signature is an authentication technique that allows the content owner of a message to attach a piece of digital data as the signature signature of the owner to the content created. Basically, digital signatures are created by hashing the message content and then encrypting the hash string with the content owner’s private key.
Digital signatures, digital signatures, help us achieve the following goals:
- Non-repudiation: can be understood as helping the recipient when checking the content with the signed digital signature will make sure that the signer can not deny what was created at the start of creating digital signatures.
- Integrity: digital signatures help to check the data integrity of the content sent is not changed or modified since the creation of digital signatures and signing of the sending document.
- Authenticity: A digital signature is also used to authenticate the source of the message content. Often, the owner of the signature will be added with the digital signature content to help the recipient verify who sent the message.
Digital signatures are used in many activities of issuing Certificate SSL, … Digital signatures can also be used in email transactions, for online purchase, online stock investment, money transfer. Bank, online payment without fear of being stolen money like with Visa, Master accounts.
- The digital signature creation algorithm is a method of generating digital signatures.
- The digital signature checking algorithm is a method of verifying the authenticity of digital signatures.
The process of creating digital signatures includes:
- Algorithm to create digital signatures.
- Method of converting the message data into a signed format
The process of checking digital signatures includes:
- Algorithm for checking digital signatures.
- Method to recover data from messages.
2. The process of signing and checking digital signatures.
a. Signing process.
Steps of signing a message:
- Calculate the message digest (hash digest / hash value) of the message using a hash algorithm (Hashing algorithm);
- The representative string is signed using the sender’s private key and a signature / Encryption algorithm. The result is the digital signature of the message, or the encrypted message string (Encrypted message digest);
- The original message (message) is paired with a digital signature (Digital signature) to form a signed message (Signed message);
- Signed messages are sent to the recipient.
b. Checking process.
Steps of the signature check process:
- Separate digital signatures and original messages from signed messages for private processing.
- Calculate the MD1 (message digest) representation of the original message using the hashing algorithm (which is the algorithm used in the signing process).
- Use the sender’s public key (public key) to decode the digital signature -> the string represents the MD2 message.
Compare MD1 and MD2:
- If MD1 = MD2 -> signature checks successful. The message ensures integrity and actually originates from the sender (due to the authenticated public key). • If MD1 <> MD2 -> the signature is invalid. The message may have been modified or not actually from the sender.
II. Public key infrastructure – PKI.
Based on the basis of public key cryptography, PKI is a system of software, services, standards, protocols, procedures, and policies to help ensure safety and reliability of communication sessions. . PKI meets the requirements of authentication, confidentiality, integrity, and refusal to exchange messages.
Public-key infrastructure (PKI) is a set of hardware, software, human resources, policies and procedures for creating, managing, distributing, using, storing and retrieving data. digital certificate.
In addition to the basic components of digital certificates, digital signatures and passwords. PKI is also made up of the following specialized functional components:
- Certificate Authority
- Registration Authority
- Certificate Repository and Archive
- Security Server
- PKI-enabled applications and PKI users
Certificate Authority (CA): is a trusted third party responsible for creating, managing, distributing, storing and revoking digital certificates. The CA will accept digital certificate requests and will only issue those who have verified their identity.
Registration Authority (RA): acts as an intermediary between the CA and the user. When a user needs a new digital certificate, they send a request to the RA and the RA will confirm all the necessary identification information before forwarding the request to the CA so that the CA can create and sign a certificate on the certificate. send to RA or send directly to users.
Certificate Repository and Archive: there are 2 important repositories in the architecture of PKI. The first is a public repository that stores and distributes certificates and CRLs (which contain a list of invalid certificates). The second is a database used by the CA to back up the currently used keys and store expired keys, this repository needs to be as secure as the CA itself.
Security Server: is a server providing centralized management services for all user accounts, digital certificate security policies, trusted relationships between CAs in PKI, establishing reporting and many other services.
PKI-enabled applications and PKI users: include users using PKI services and software that supports the installation and use of digital certificates such as web browsers, client-side email applications .
3. Flow chart and use.
- HANDBOOK of APPLIED CRYPTOGRAPHY – Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone.
- Curriculum of safety and information security – PhD. Hoang Xuan Rooster.