RE: Digital Signature Full Seminar Report Download
Digital Signature.doc (Size: 186 KB / Downloads: 19)
Digital signature is a sort of Cryptography. Cryptography means keeping communications private. It is a practical art of converting messages or data into a different form, such that no one read them without having access to the ‘key’. The message may be converted using a ‘code’ (in which case each character or group of characters is substituted by an alternative one), or ‘cipher’ (in which case the message as a whole is converted, rather than individual characters). It deals with encryption, decryption and authentication.
There are two types of Cryptography-
1.Secret key or Symmetric Cryptography
2. Public key or Asymmetric Cryptography
In Symmetric Cryptography the sender and receiver of a message know and use the same secret key to encrypt the message, and the receiver uses same key to decrypt the message.
Asymmetric (or public key) Cryptography involves two related keys, one of which only the owner knows (the 'private key') and the other which anyone can know (the 'public key').
Why Digital Signature:
Message authentication protects two parties who exchange messages from any third party. However it does not protect two parties against each other. Several forms of disputes between the two are possible.
For example suppose that john sends an authenticated message to Mary,using one of the schemes.Following dispute that could arise :
1. Mary may forge a different message and claim that it can come from John.Mary would simply have to create a message and append an authentication code using the key that John and Mary share.
2. John can deny sending the message.Because it is possible for Mary to forge a message there is no way to prove that John did in fact send the message.
Both scenarios are of legitmate concern.Here is an example of the first scenario:An electronic fund transfer take place and the receiver increases the amount of fund transferred and claims that larger amount had arrived from the sender.An example of the second scenarios is that an electronic mail message contains instruction to a stockbroker for a transdaction that subsequently turns out badly.The sender pretend that the message never sent.
On the basis of these prpperties ,we can formulate the following reqirements for a digital signature:
• The signature must be a bit pattern that depends on the message of being signed.
• The signature must use some information uniqe to sender ,to prevent both forgery and denial.
• It must be relatively easy to produce the digital signature .
• It must be relatively easy to recognize and verify the digital signature.
• It must be computationally infeasible to forge a digital signature ,either by constructing a new massage for an existing digital signature or by constructing a fraudulent digital signature for a given message.
• It must be practical to return a copy of the digital signature in storage.
A secure hash function ,embedded in a scheme such as that of figure satifies these reqirements.
What is digital signature:
Basically, the idea behind digital signatures is the same as your handwritten signature. You use it to authenticate the fact that you promised something that you can't take back later. A digital signature doesn't involve signing something with a pen and paper then sending it over the Internet. But like a paper signature, it attaches the identity of the signer to a transaction. Having a digital certificate is like using your driver's license to verify your identity. You may have obtained your license from Maryland, for example, but your Maryland license lets you drive in Nevada and Florida. Similarly, your digital certificate proves your online identity to anybody who accepts it.
Direct digital signature:
A direct digital signature involves only the communication parties (source and destination). It is assumed that the destination knows the public key of the source. A digital signature may be formed by encrypting the entire message with the sender’s private key or by encrypting the hash code of the message with the sender’s private key.
Confidentiality can be provided by further encrypting the entire message plus signature with either the receiver’s public key or a shared secret key. It is important to perform the signature function first and then an outer confidentiality function. In case of dispute some third party must view the message and signature. If the signature is calculated on an encrypted message, the third party also needs access to the decryption key to read the original message.
Arbitrated digital signature:
The problems associated with direct digital signatures can be addressed by using an arbiter. As with direct signature schemes, there are a variety of arbitrated signature schemes. In general terms, these all operate as follows: every signed message from sender X to the receiver Y goes first to the arbiter A, who subjects the message and its signature to the number of tests to check its origin and content. The message is then dated and sends to Y with an indication that it has been verified to the satisfaction of the arbiter. With the presence of arbiter A, there are no chances of a sender X to disowning the message, as is the case with the direct digital signatures.
The arbiter plays a crucial role in arbitrated digital signatures and all parties must have a great deal of trust that the arbitration mechanism working properly. The use of a trusted system might satisfy this requirement.
HOW THE TECHNOLOGY WORKS :
Digital signatures require the use of public-key cryptography .If you are going to sign something, digitally, you need to obtain both a public key and a private key. The private key is something you keep entirely to yourself. You sign the document using your private key- which is really just a kind of code-then you give the person (the merchant of the website where you bought something or the bank lending your money to buy a house) who needs to verify your signature your corresponding public key. He uses your public key to make sure you are who you say you are. The public key and private key are related, but only mathematically, so knowing your private key. In fact, it’s nearly impossible to figure out your private key from your public key.
DIGITAL SIGNATURE STANDARD :
The National Institute of Standards and Technology has published Federal Information processing standards Publications (FIPS PUBS), known as digital signature standard. The DSS makes use of the Secure Hash Algorithm (SHA) and present a new digital signature technique called the Digital Signature Algorithm (DSA) appropriate for applications requiring a digital rather than written signature. The DSA digital signature is a pair of large numbers represented in a computer as strings of binary digits. The digital signature is computed using a set of rules (i.e., the DSA) and a set of parameters such that the identity of the signatory and integrity of the data can be verified. The DSA provides the capability to generate and verify signatures. Signature generation makes use of a private key to generate a digital signature. Signature Verification makes use of a public key, which corresponds to, but is not the same as, the private key. Each user possesses a private and public key pair. Public keys are assumed signatures for stored as well as transmitted data. Anyone can verify the signature of a user by employing that user's public key. Signature generation can be performed only by the possessor of the user's private key.
A hash function is used in the signature generation process to obtain a condensed version of data, called a message digest (see Figure 1). The message digest is then input to the DSA to generate the digital signature. The digital signature is sent to the intended verifier along with the signed data (often called the message). The verifier of the message and signature verifies the signature by using the sender's public key. The same hash function must also be used in the verification process. The hash function is specified in a separate standard, the Secure Hash Standard (SHS), FIPS 180. Similar procedures may be used to generate and verify signatures for stored as well as transmitted data.
DIGITAL SIGNATURE GENERATION:
To begin with the process, a check (message) must be created. In order to create a digital signature with the check, a process known as “hash function must occur. The hash function is a mathematical algorithm that creates a digital representation or fingerprint in the form of a hash result or message digest. The hash function generally has a standard length that is usually much smaller than the message but nevertheless substantially unique to it. Hash functions ensure that there have been no modifications to the check since it was digitally signed.
The next step is to encrypt the check and signature. The sender’ signature software transforms the result into a digital signature using the sender private key. The resulting signature is thus unique to both the message and the private key used to create it. Typically, a digital-signature is appended to its message and stored or transmitted with the message. However, it may also be sent or stored as a separate data element, so long as it maintains a reliable association with its message. Since a digital signature is unique to its message, it is useless when wholly disassociated from the message.
Now the question arises how do one get a private and a public key? The answer is: You need to obtain something called a digital certificate. For that, you go to a certificate issuer, which will give you a digital certificate that says, in effect, "Here is Mike, and here is his public key. Anything he signs with his corresponding private key is valid." When you buy something online and digitally sign the transaction, you provide the merchant with your digital certificate. If the merchant trusts the issuer of the certificate, he uses the certificate to verify your signature. Often the authority that provides you with a digital certificate will also provide you with a private key. Certain computer systems will let you generate your own private key, but be careful! That is where the potential for fraud comes in. It's considered impossible to forge a digital signature the way one can forge a paper signature, but if you are careless with your private key—leaving it unprotected on your desktop, for instance—it's possible for you to compromise its integrity.