Digital Signature: Ensuring Authenticity Over the Internet
Have you ever wondered how we ensure authenticity over the vulnerable internet?
Suppose you receive an email asking you to follow a link to subscribe to a service. How can you be sure it’s from a legitimate source? This is where digital signatures come in — just like traditional handwritten signatures, they help verify authenticity.
A digital signature is an electronic, encrypted stamp of authentication on digital information such as emails, electronic documents, and more.
Key Benefits of Digital Signatures:
- Authenticity: When a document is digitally signed, it ensures that it is coming from the correct source.
- Integrity: A digital signature guarantees integrity by creating a unique cryptographic “fingerprint” of a message using the sender’s private key. Even a minor change in the document will invalidate the signature, thereby maintaining integrity.
- Non-repudiation: The sender cannot deny having sent the document since the digital signature uniquely binds the sender to the message.
How Digital Signatures Work:
Digital signatures are based on public key cryptography, specifically asymmetric encryption. This involves two types of keys:
- Private Key — Used for signing a document.
- Public Key — Used for verifying the document.
Step-by-Step Process:
- Hashing the Document: The sender hashes the document using a cryptographic hash function (e.g., MD5 or SHA-256) to generate a unique, fixed-length value. This hash is irreversible, meaning it is impossible to reconstruct the original message from the hash.
- Digital Certificate Issuance: The sender’s public key is embedded in a digital certificate issued by a Certificate Authority (CA). This is a one-time process that occurs when the sender first registers.
- Sending the Message: The sender transmits the signed message to the receiver.
- Extracting the Public Key: The receiver retrieves the sender’s public key from the CA-authorized digital certificate.
- Recomputing the Hash: The receiver hashes the received message using the same hashing algorithm (e.g., MD5 or SHA-256).
- Verification: If the sender’s hash matches the receiver’s computed hash, the message is verified as legitimate and authentic.
Real-World Use Cases:
- Email Authentication: Ensures that emails are from trusted sources and have not been tampered with.
- Software Distribution: Verifies that software updates and downloads originate from legitimate sources and have not been altered.
- Financial Transactions: Provides security for banking transactions, ensuring they remain untampered and authentic.
- E-Governance (Aadhaar, Digital ID Verification, etc.): Used in national ID systems for secure authentication and document verification.
Digital signatures play a crucial role in ensuring trust, security, and authenticity in digital communications and transactions, making them an essential technology in today’s internet-driven world.
I have implemented how we can generate digital signature in NodeJS, have a look in below code.
first you need to generate public and private keys and then you can use private key to sign and public key to verify
openssl genpkey -algorithm RSA -out private.pem -aes256
openssl rsa -in private.pem -pubout -out public.pem
const crypto = require("crypto");
const fs = require("fs");
const message = "Saurav sharma signed article";
const privateKey = fs.readFile("private.pem", "utf8", (error, private) => {
if (error) {
console.log("SK@Error", error);
}
const sign = crypto.createSign("SHA256");
sign.update(message);
sign.end();
const signature = sign.sign(private, "base64");
//verifying the key
fs.readFile("public.pem", "utf8", (err, publicKey) => {
if (err) {
console.log("SK@ERR while verify", err);
}
const verify = crypto.createVerify("SHA256");
verify.update(message);
verify.end();
const isValid = verify.verify(publicKey, signature, "base64");
console.log("SK@", isValid); //output true
});
});
