Digital signatures are commonly used in the following two situations:
- Code signing – This is used for data integrity and authentication purposes. Code signing is used to verify the integrity of executable files downloaded from a vendor website. It also uses signed digital certificates to authenticate and verify the identity of the site that is the source of the files.
- Digital certificates – These are similar to a virtual ID card and used to authenticate the identity of the system with a vendor website and establish an encrypted connection to exchange confidential data.
There are three Digital Signature Standard (DSS) algorithms that are used for generating and verifying digital signatures:
- Digital Signature Algorithm (DSA) – DSA is the original standard for generating public and private key pairs, and for generating and verifying digital signatures.
- Rivest-Shamir Adelman Algorithm (RSA) – RSA is an asymmetric algorithm that is commonly used for generating and verifying digital signatures.
- Elliptic Curve Digital Signature Algorithm (ECDSA) – ECDSA is a newer variant of DSA and provides digital signature authentication and non-repudiation with the added benefits of computational efficiency, small signature sizes, and minimal bandwidth.
In the 1990s, RSE Security Inc. started to publish public-key cryptography standards (PKCS). There were 15 PKCS, although 1 has been withdrawn as of the time of this writing. RSE published these standards because they had the patents to the standards and wished to promote them. PKCS are not industry standards, but are well recognized in the security industry and have recently begun to become relevant to standards organizations such as the IETF and PKIX working group.
Digital Signatures for Code Signing
Digitally signing code provides several assurances about the code:
- The code is authentic and is actually sourced by the publisher.
- The code has not been modified since it left the software publisher.
- The publisher undeniably published the code. This provides nonrepudiation of the act of publishing.
The US Government Federal Information Processing Standard (FIPS) Publication 140-3, specifies that software available for download on the internet is to be digitally signed and verified.
The purpose of digitally signed software is to ensure that the software has not been tampered with and that it originated from the trusted source as claimed. Digital signatures serve as verification that the code has not been tampered with by threat actors and malicious code has not been inserted into the file by a third party.
Click the buttons to access the properties of a file that has a digitally signed certificate.
Digital Signatures for Digital Certificates
The digital certificate independently verifies an identity. Digital signatures are used to verify that an artefact, such as a file or message, is sent from the verified individual. In other words, a certificate verifies identity, a signature verifies that something comes from that identity.
This scenario will help you understand how a digital signature is used. Bob is confirming an order with Alice. Alice is ordering from Bob’s website. Alice has connected with Bob’s website, and after the certificate has been verified, Bob’s certificate is stored on Alice’s website. The certificate contains Bob’s public key. The public key is used to verify Bob’s digital signature.
A third arrow goes from the 0a textbox to a cloud that has the words signed data in it and a box that says confirm order signature 0a77b3440… Words at the bottom: Bob confirms the order and his computer creates a hash of the confirmation. The computer encrypts the hash with Bob’s private key.
The encrypted hash, which is the digital signature, is appended to the document. The order confirmation is then sent to Alice over the internet signed.
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained includes staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.
I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.
Fact Check Policy
CRMNAIJA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.