Digital Singatures question

Secure Home | Search | About

Lost Password?

General Computer Security

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject

Author

Date

Digital Singatures question

Matt

09-14-2005

Re: Digital Singatures question

Anne & Lynn Whe...

09-14-2005

Re: Digital Singatures question

Volker Birk

09-15-2005

Posted by Matt on September 14, 2005, 6:55 pm

If you were Registered and logged in, you could reply and use other advanced thread options

I'm currently studing for the Security+ exam and the Sybex book I'm
reading really does't fill in the gaps with cryptography. I have read
articles on the web and other chapters from different books.

Can someone please explain Digital signatures to me? I understand that
they are used to validate who a person is. I don't understand how they
are created and what key is used to encrpyt them, etc.. Really couldn't
find to much more info on them.

Also is there a difference between a cipher and a hash? Is ciphertext
the same thing as a message digest? When you do use a cipher or hash
does the other side needs to know what algorithm you used? Is this sent
with the message??

Can someone please help clear up these topics or quide me towards some
reading material that will.

Thank you

Posted by Anne & Lynn Wheeler on September 14, 2005, 9:40 pm

If you were Registered and logged in, you could reply and use other advanced thread options

> I'm currently studing for the Security+ exam and the Sybex book I'm

> reading really does't fill in the gaps with cryptography. I have read

> articles on the web and other chapters from different books.

> Can someone please explain Digital signatures to me? I understand that

> they are used to validate who a person is. I don't understand how they

> are created and what key is used to encrpyt them, etc.. Really couldn't

> find to much more info on them.

> Also is there a difference between a cipher and a hash? Is ciphertext

> the same thing as a message digest? When you do use a cipher or hash

> does the other side needs to know what algorithm you used? Is this sent

> with the message??

> Can someone please help clear up these topics or quide me towards some

> reading material that will.

nist has secure hash standard .... basically computes a short-hand
representation of a document.
http://csrc.nist.gov/cryptval/shs.htm

and the digital signature standard
http://csrc.nist.gov/cryptval/dss.htm

the basic technology is asymmetric (key) cryptography; what one key
(of a key-pair) encodes, the other key (of the key-pair) decodes
(differentiates from symmetric key cryptography where the same key is
used for both encryption and decryption.

a business process is defined called public key; where one key is
designated as "public" and freely distributed and the other key is
designated as "private" and kept confidential and never divulated.

there is a business process called digital signature. somebody
computes the hash of a message/document and encodes the hash with
their private key to create a digital signature ... and then transmits
the message/document along with its digital signature.

the recipient recomputes the hash of the document, decodes the digital
signature with the appropriate public key and compares the two
hashes. if the two hashes are the same, then the recipient can
conclude

1) the document hasn't been modified since the digital signature
was computed
2) "something you have" authentication ... aka that the originator
has access to and use of the corresponding private key.

from 3-factor authentication model
http://www.garlic.com/~lynn/subpubkey.html#3factor

* something you have
* something you know
* something you are

given that the key designated "private" is appropriately guarded, kept
confidential and never divulated ... then a digital signature
validated with the corresponding "public" key would only have
originating from the designated "private" key owner.

to further increase the integrity of digital signature operations,
hardware tokens can be used, where a public/private key pair is
generated inside the token, the public key is exported, and the
private key is never revealted. the hardware token is required to
perform digital signature operations (further strengthening the
integrity of the "something you have" authentication operation).

a straight-forward deployment is to take something like RADIUS ...
http://www.garlic.com/~lynn/subpubkey.html#radius

which is used by the majority of the world-wide ISPs for dial-up
customer authentication ... typically using password ... and
replace the registration of a shared-secret password
http://www.garlic.com/~lynn/subpubkey.html#secret

with a public key. Then instead of using password authentication,
where the client transmits the passowrd ... the client instead
computes a digital signature (using a defined message and the
corresponding private key). The server then validates the digital
signature with the registered public key (for "something you have"
authentication, in place of the password, shared-secret, "something
you know" authentication).

there was a business process created called PKI involving
certification authorities and digital certificates to address the
first time communication between strangers for the offline email
environment of the 80s (somewhat analogous to the "letters of credit"
from the sailing ship days). THe scenario involves somebody dialing up
their local (electronic) post office, exchanging email, and hanging
up. They then may be faced with handling first-time email from a
straonger ... having no local information about the person originating
the email and/or having any online access to authoritative source for
obtaining information about the originator.

A more detailed description of that scenario
http://www.garlic.com/~lynn/2005p.html#32 PKI Certificate question

--
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/

Posted by Volker Birk on September 15, 2005, 10:32 am

If you were Registered and logged in, you could reply and use other advanced thread options

> I'm currently studing for the Security+ exam and the Sybex book I'm

> reading really does't fill in the gaps with cryptography. I have read

> articles on the web and other chapters from different books.

Perhaps, Bruce Scheier's "Applied Cryptography" will be a good starting
point, though it's not very up to date any more, but offers an excellent
introduction to the topic, easy to read and easy to understand.

Also http://en.wikipedia.org/wiki/Cryptography is a good starting point.

> Can someone please explain Digital signatures to me? I understand that

> they are used to validate who a person is. I don't understand how they

> are created and what key is used to encrpyt them, etc.. Really couldn't

> find to much more info on them.

A digital signature is a way to use asymmetric ciphers to virtually "sign"
data by having an hash over the data, which was encrypted with the private
key of someone, and can be checked then with the public key.

http://en.wikipedia.org/wiki/Digital_signature

> Also is there a difference between a cipher and a hash?

Yes ;-)

A cipher function is bijective, that means, you can revert it if you have
the right key, while a hash is not - quite the contrary, it has to be as
hard as possible to revert it ;-)

http://en.wikipedia.org/wiki/Encryption#Ciphers
http://en.wikipedia.org/wiki/Cryptographic_hash_function#Cryptographic_properties

> Is ciphertext

> the same thing as a message digest?

No. Ciphertext is, what you get out of your plaintext after you applied a
cipher.

A message digest is some kind of checksum you can calculate using a
cryptographic hash function.

> When you do use a cipher or hash

> does the other side needs to know what algorithm you used?

Yes.

> Is this sent

> with the message??

That depends.

> Can someone please help clear up these topics or quide me towards some

> reading material that will.

Please read the introductory links first, I gave you.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Similar Threads	Posted
X.509 Digital Certificate Newbie Question	April 12, 2005, 3:55 am
X.509 Digital Certificates	March 7, 2005, 8:56 pm
Digital Machine Certificate - Win XP Pro SP1	May 12, 2004, 1:43 pm
Digital Signature Software	January 4, 2005, 9:25 am
Repository for digital certificates	June 3, 2005, 1:50 pm
Discussion Regarding Digital Signatures	August 1, 2007, 1:12 pm
XML digital Signature Processing	December 10, 2007, 6:04 am
Digital Certificate Expiration Utility	August 14, 2004, 7:53 pm
Fears raised over digital rights...	January 17, 2006, 1:47 am
Digital Mechanical Lock Unsafe	February 11, 2007, 11:31 pm

The site map in XML format XML site map