Ways Of Using Digital Signatures In Cybersecurity

Digital Signatures In Cybersecurity: How To Use It

 

Digital signatures in cybersecurity are a mathematical techniques used to provide authenticity, integrity, and nonrepudiation. Digital signatures have specific properties that enable entity authentication and data integrity.
In addition, digital signatures provide nonrepudiation of the transaction. In other words, the digital signature serves as legal proof that the data exchange did take place. Digital signatures use asymmetric cryptography.
The signature cannot be forged and provides proof that the signer, and no one else, signed the document.

Digital signatures are commonly used in the following two situations:

  1. Code signing – This is used for data integrity and authentication purposes. Code signing is used to verify the integrity of executable files downloaded from a vendor website. It also uses signed digital certificates to authenticate and verify the identity of the site that is the source of the files.
  2. Digital certificates – These are similar to a virtual ID card and used to authenticate the identity of the system with a vendor website and establish an encrypted connection to exchange confidential data.

There are three Digital Signature Standard (DSS) algorithms that are used for generating and verifying digital signatures:

  • Digital Signature Algorithm (DSA) – DSA is the original standard for generating public and private key pairs, and for generating and verifying digital signatures.
  • Rivest-Shamir Adelman Algorithm (RSA) – RSA is an asymmetric algorithm that is commonly used for generating and verifying digital signatures.
  • Elliptic Curve Digital Signature Algorithm (ECDSA) – ECDSA is a newer variant of DSA and provides digital signature authentication and non-repudiation with the added benefits of computational efficiency, small signature sizes, and minimal bandwidth.

In the 1990s, RSE Security Inc. started to publish public-key cryptography standards (PKCS). There were 15 PKCS, although 1 has been withdrawn as of the time of this writing. RSE published these standards because they had the patents to the standards and wished to promote them. PKCS are not industry standards, but are well recognized in the security industry and have recently begun to become relevant to standards organizations such as the IETF and PKIX working group.

Digital Signatures for Code Signing

Digital signatures are commonly used to provide assurance of the authenticity and integrity of software code. Executable files are wrapped in a digitally signed envelope, which allows the end-user to verify the signature before installing the software.
Digitally signing code provides several assurances about the code:
  • The code is authentic and is actually sourced by the publisher.
  • The code has not been modified since it left the software publisher.
  • The publisher undeniably published the code. This provides nonrepudiation of the act of publishing.

 

The US Government Federal Information Processing Standard (FIPS) Publication 140-3, specifies that software available for download on the internet is to be digitally signed and verified.

 

 

The purpose of digitally signed software is to ensure that the software has not been tampered with and that it originated from the trusted source as claimed. Digital signatures serve as verification that the code has not been tampered with by threat actors and malicious code has not been inserted into the file by a third party.

 

Click the buttons to access the properties of a file that has a digitally signed certificate.

File Properties
Digital Signatures
Digital Signatures Details
Certificate Information
Certification Path
This executable file was downloaded from the internet. The file contains a software tool from Cisco Systems.
The figure shows the general tab that includes the name of the file, the type, a description, where it is located on the hard drive, size, when it was created and accessed, and the attributes assigned, if any.

Digital Signatures for Digital Certificates

A digital certificate is equivalent to an electronic passport. It enables users, hosts, and organizations to securely exchange information over the Internet. Specifically, a digital certificate is used to authenticate and verify that a user who is sending a message is who they claim to be. Digital certificates can also be used to provide confidentiality for the receiver with the means to encrypt a reply.
Digital certificates are similar to physical certificates. For example, the paper-based Cisco Certified Network Associate Security (CCNA-S) certificate in the figure identifies who the certificate is issued to, who authorized the certificate, and for how long the certificate is valid. Digital certificates also provide similar information.

The digital certificate independently verifies an identity. Digital signatures are used to verify that an artefact, such as a file or message, is sent from the verified individual. In other words, a certificate verifies identity, a signature verifies that something comes from that identity.

 

This scenario will help you understand how a digital signature is used. Bob is confirming an order with Alice. Alice is ordering from Bob’s website. Alice has connected with Bob’s website, and after the certificate has been verified, Bob’s certificate is stored on Alice’s website. The certificate contains Bob’s public key. The public key is used to verify Bob’s digital signature.

 

 

A third arrow goes from the 0a textbox to a cloud that has the words signed data in it and a box that says confirm order signature 0a77b3440… Words at the bottom: Bob confirms the order and his computer creates a hash of the confirmation. The computer encrypts the hash with Bob’s private key.

 

The encrypted hash, which is the digital signature, is appended to the document. The order confirmation is then sent to Alice over the internet signed.

 

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained includes staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training. 

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.

Fact Check Policy

CRMNAIJA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.

 

Fact Check Policy
truehost
telegram
CRMNuggets Whatsapp Channel

Leave a Reply

Your email address will not be published. Required fields are marked *