Re: Digital Signatures

cliffnotes · ‎10-12-2011

HI all,

This could be a dummy question, but help me to learn as am a newbie into VPN technology.

Question:

Symmetric hashing algorithms are MD5 & SHA.

Symmetric encryption algorithms are DES,3DES etc..

Asymmetric encryption algorithms are RSA etc..

To create a DIgital signature: 1.Original text is run into hashing algorithm such as MD5 to get HASH value

2. Resulted HASH value is put into encryption algorithm as input to get DIGITAL signature.

When i run through a book, i noticed algorithms MD5 (symmetric algorithm) and RSA (asymmetric algorithm) are used to create DIGITAL signatures. Why symmetric & asymmetric algorithms are used and the benefits of combining both. And also i would like to know why can't we use MD5 & 3DES (both symmetric algorithms) to create digital signatures? Pls clarify

Message was edited by: gfgdfg fgfdgtr

Herbert Baerten · ‎10-16-2011

Hi gfgdfg,

let's say Alice wants to send a signed email to Bob.

As you mentioned, Alice creates a one-way hash on the message, and encrypts it with her private key.

When Bob received the email, he will decrypt the signature using Alice's public key, resulting in the original hash.

2- generate a hash himself, using the email as input and using the same hash algorithm

3- compare these 2 hashes, if they are not the same something is wrong and Bob should not trust the contents of the message or the identity of the sender (i.e. either the email was tampered with or the email was not really signed by Alice).

So obviously for this to work the hash algorithm needs to produce the same hash value on Alice's side as on Bob's side.

Now for the encryption part: in the explanation above we use asymmetric keys (Alice signs with her private key, Bob decrypts with the corresponding public key).

In theory you could just as well use symmetric keys, but Alice and Bob would first have to agree on which key to use (so Alice would have to call Bob on the phone and say, let's use "mys3cr3t" as key for all the emails we're going to exchange from now on). Alice would have to do the same for all her contacts (using different keys).

With asymetric keys, Alice uses the same keypair for all the messages she sends.

Bob still needs to have Alice's public key, so depending on what method they use this could still be a problem. The easiest solution is for Alice to send along a certificate, which is basically her public key (plus other info) signed by a trusted 3rd party (certificate authority).

I hope this helps, let me know if you want to discuss in more detail.

Herbert

Odys (CSC) · ‎08-03-2013

Herbert, well done. thank you !

You maintained that there are some methods to exchange the public key, what are these methods ?

PKI, CA, any more ?

thx

Herbert Baerten · ‎09-07-2013

hi Hydir,

very sorry for the late reply.

Apart from PKI (which uses one or more CA) you can also use keyservers (commonly used with PGP), or basically publish or transfer your key in any way you want as long as the receiver can (reasonably) trust that the key they receive really comes from you.

I.e. I can put my key on my facebook page, fedex you my key on a USB stick, write it on a napkin when we meet in a bar, dictate it to you over the phone, etc. but of course each of those methods has its potential security flaws - are you sure that facebook page is mine and not an imposter's, is the person handing you the napkin really the person he claims he is (if you ask him for an ID do you trust that it is not a forged one)...

PKI tries to solve that, but still (depending on how paranoid you are and how much risk you run if your data gets compromised) you should ask yourself how much trust you put in the PKI authority.

Of course entire books have been written about this and there is much more to it, e.g. key revocation is a very interesting subject as well

hth

Herbert