Here's a small section:
Digital signatures are used to cryptographically sign documents. Digital signatures provide nonrepudiation, which includes authentication of the identity of the signer, and proof of the document’s integrity (proving the document did not change). This means the sender cannot later deny (or repudiate) signing the document.
Roy wants to send a digitally signed email to Rick. Roy writes the email, which is the plaintext. He then uses the SHA-1 hash function to generate a hash value of the plaintext. He then creates the digital signature by encrypting the hash with his RSA private key. Figure 4.13 shows this process. Roy then attaches the signature to his plaintext email and hits send.
Rick receives Roy’s email and generates his own SHA-1 hash value of the plaintext email. Rick then decrypts the digital signature with Roy’s RSA public key, recovering the SHA-1 hash Roy generated. Rick then compares his SHA-1 hash with Roy’s. Figure 4.14 shows this process.
Figure 4.14, verifying a digital signature
If the two hashes match, Rick knows a number of things:
- Roy must have sent the email (only Roy knows his private key). This authenticates Roy as the sender.
- The email did not change. This proves the integrity of the email.
If the hashes match, Roy cannot later deny having signed the email. This is nonrepudiation. If the hashes do not match, Rick knows either Roy did not send it, or that the email’s integrity was violated.
I took many of the photos from this chapter at the National Cryptologic Museum in Fort Meade, Maryland. I highly recommend this museum, for old and young cryptographers alike.