Where do I “Sign”?

A short Review on Digital Signatures

by Joe Guerra, Cybersecurity Instructor, Hallmark University

The fundamentals of data security are defined as applying techniques, procedures and other means to protect the confidentiality, availability, and integrity of information. Most of the time the focused scenario is keeping the attackers at a distance, and adding barriers around the information. These barriers vary from physical property fences to technology firewalls to do the job.

Whereas these defenses are essential, what about applying an additional factor that would make the information fruitless to the attacker? What if the data was gibberish in such a way that only the authorized entities can view it while the infiltrators could not? This is the kind of security that cryptography offers: it hides the information in a manner that would leave no opportunity for the threat to read it.

Cryptography offers a range and level of security. It provides the basic protections of confidentiality, integrity, authentication, and non-repudiation. The latter two are in a relational category that has been an issue since the dawn of humanity. Some kind of authentication procedure has been in place in civilization since the advent of writing. Although markings, handwritten signatures or seals were sufficient in those ages, in the now, a more relevant process is necessary for an accelerated global interconnected society. As online transactions exponentially rise daily, there is an escalated demand to ensure authenticity, integrity, and non-repudiation of the entities involved, the asset and information exchanged between the parties and a comprehensive secure provisioned agreement process.

So, how do we provide for this need of authentication, integrity, and non-repudiation in today’s digital civilization? The answer lies in a cryptographic component called Digital Signatures. First of all, digital signatures should not be confused with digitized signatures which is essentially an electronic variation of your actual physical signature. Relatively, digital signatures do adhere to the identity of a party to specific information or piece of data. This cryptographic feature is not for the confidentiality aspect of security. Although, it does establish the integrity of the message and authenticate the sender of the data. Digital signatures come from the public key cryptography concept, which is also referred to as asymmetric cryptography. This cryptography provides better authenticity than its counter-part symmetric cryptography.

What makes symmetric encryption inferior in the authenticity and integrity spectrum? If an individual sends information to a co-worker, the message is encrypted with his secret key and the co-worker, in order to view the message must have the same key for decryption. Now, if the same user wants to send another encrypted message to another individual, another key must be implemented. So, if you factor in copious amounts of colleagues into the equation, the problem lies in keeping track of the keys applied to who. An additional issue is how does the receiver get the copy of the key. E-mailing is not a secure option. In other words, symmetric cryptography does not provide authentication or even non-repudiation. Symmetric cryptography works with the use of the same key to encrypt and decrypt the content. This is only powerful against attacks if you securely store away the key.

Asymmetric cryptography implements two keys as opposed to one. The keys are mathematically conjoined and are titled the public and private key. You make public key transparently known and the private key secure. Here is how asymmetric cryptography operates. Suppose Joe wants to relay a message to Jane. Jane has her private key and keeps it safe, and her public key, which is known to everyone. Joe utilizes Jane’s public key for encrypting a message, Joe then transmits the message, Jane now can only decrypt it with her secure private key. Because she does have sole access to her private key, she goes about to decrypt and view the message. Now, if Jane wanted to respond to Joe, she will need to encrypt her message with Joe’s public key which is also known to everyone and send it. Joe will then have to use his private key to read the response. Appropriately, you can understand the value of asymmetric encryption in using it for digital signing.

Digital signatures are implemented as an industry standard within the whole framework called Public Key Infrastructure (PKI). PKI lays out the factors and limitations for public and private keys correlated with a digital signature. As stated in the scenario above, the private key is the responsibility of the sender and does not in any way share it. The public keys may be free to share and used by anyone, especially to validate the signature of the sender.

Overall, digital signatures have two respective intentions: ensure that the original information was not modified and verify the message does come from the sender. For this to be a success, a two-step cryptographic process takes place. First, the message is hashed, thus creating a digest that is tied to the message. So, if the message is modified, the digest changes and leaves a full indication of tampering, which will violate the integrity principle. Then second, is being able to decrypt the digital signature’s hash encryption with the sender’s public key, thus validating the authenticity of the sender. The person says who he says he is.

In conclusion, while Digital Signatures are quite an effective and efficient practice in eliminating impersonation and data manipulation, they are only as good as long as the organization or individual keeps the private key secure. For as soon as the private key becomes public the digital signature tied to that private key can be maliciously used. With this in mind and with the tremendous amount of trust we have in place for digital signatures and the delicate tasks that we attach to them, the more vulnerable they are becoming and the more damaging they can become.

About the Author

Where do I “Sign”?Joe Guerra, Cybersecurity Instructor, Hallmark University. Joe Guerra is a cybersecurity/computer programming instructor at Hallmark University.He has 12 years of teaching/training experience in software and information technology development. Joe has been involved in teaching information systems security and secure software development towards industry certifications. Initially, Joe was a software developer working in Java, PHP, and Python projects. Now, he is focused on training the new generation of cyber first responders at Hallmark University.

March 21, 2019

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...