|
Various digital signatures
|
Please note, that the Knowledge Base isn't translated to english completely at the moment. You will still find some german texts - we are translating permanently the outstanding parts! Thank you for understanding! |
Digital Signature |
| |
|
|
|
A digital signature is a digitale Signatur is applied asymmetric cryptography, more about that in cryptographic basics of a digital signature
|
Public Key Certificates |
For verification of a digital signature you need the corresponding public key, thus these keys has to be distributed or accessable in a directory. A Public-Key-Certificate is a credential, which links the public key to the identity of its owner.
The data structure of a digital certificate contains a public key signed by a hopefully trustworthy third party (certification authority). The third party is issuer of the credential, verification can only be done with the public key of the third party (ca-certificate) Without these mechanisms there could be a "man in the middle" attack. Of course there are more data included and signed in a certificate, like the name, validity period, version and serial number, identity information about the issuing third party, and more information about allowed purpose of use, revocation information, etc. At least a certificate consists of a name, a public key and a digital signature over these information. You find more about that in certificate formats.
|
 |
 |
|
Certificate |
|
Separated key pairs for signature and encryption |
Although one key pair can be used for encryption and signature, it is common to separate encryption key pair and signature key pair, because there are few good reasons for that.
1. the accumulated cryptographic material, which can be used for cryptanalytics, is reduced, because the a key pair isn't used that often.
2. the consequences of a key compromise are less serious, the backup or recovery strategies can be adapted to the key pair use.
3. no attack possiblity by palming off a cryptographic hash: Using a private key can be signing or decryption, therefore an reputed encrypted message could be a hash value in real. The recipient (and victim) wants to decrypt the message and is using his private key on to the message and is getting gibberish - or a signed hash-value (a signature) - depending on the viewer.
|
Verification of a digital signature |
The verification of a digitale signature consists of the literal signature verification and the verification of the signing certificates. While signature verification the hash-value of the signature is decrypted with the public key, which is known from the certificate. These hash-value is compared to the hash-value which is computed from the signed data. If both are the same, it is proofed, that the data is unchanged and the private key, corresponding to the public key, was used for signature.
The identity and the validity of the key pair is checked with a trusted third party. By using revocation lists or services the validity is checked and the certificate chain is built All certificates in the chain are checked against revocation - the verification of the certificate chain is a cascade of signature and revocation checks.
Additionally the check of more attributes of the certificates is making sense, e.g. verify, if certificates are allowed to issue other certificates by checking the "Basic Constraints"
.
|
|
|
|
|
|
Considering legal consequences of signatures, the main focus lies on the signature creation device
repectively their security.
The european signature directive is written with the principle of independence of technology, therefore the term "elektronic signature" is used, which should be wider than the term "digital signature" which is used for asymmetric cryptographic algorithms. More about that in signature law
.
|
Digital Signature Solutions |
|
|
|
Legal notice