A digital signature is the electronic equivalent of a person's physical signature. It is also a guarantee that information has not been modified, as if it were protected by a tamper-proof seal that is broken if the contents were altered.
Digitally signed certificates verify the identity of an organization or individual. Signed certificates are widely used to authenticate a website and establish an encrypted connection for credit cards and confidential data (see digital certificate
Files of any kind can be signed; however, a common application is "code signing," which verifies the integrity of executables downloaded from the Internet. Code signing also uses certificates (see code signing
and digital certificate
An Encrypted Digest
A digital signature is actually an encrypted digest of the data being signed. The digest is computed from the contents of the file by a one-way hash function (see below) and then encrypted with the private key of the signer's public/private key pair. To prove that the file was not tampered with, the recipient uses the public key of the signer to decrypt the signature back into the original digest, recomputes a new digest from the transmitted file and compares the two to see if they match. If they do, the file has not been altered in transit by an attacker. See RSA
, public key cryptography
and electronic signature
An Encrypted Digest
A digital signature is an encrypted digest of a file. The digest was created with a one-way hash function from the file's contents.
With and Without Privacy
The following two diagrams show how digital signatures are used for data integrity in both non-private and private transmissions.
Message Integrity Without Privacy
The woman makes her message tamper proof by encrypting the digest into a "digital signature," which accompanies the message. At the receiving side, the man uses her public key to verify the signature. However, the message text is sent "in the clear" and could be read by an eavesdropper.
Message Integrity With Privacy
In this example, the message is both signed and transmitted in secret. The woman signs the message first and then entirely encrypts it before sending. The man decrypts the message first and then verifies the signature.