Ask the Expert

The difference between a digital signature and digital certificate

Aren't digital certificates and digital signatures two different things? Self-signed digital certificates cannot be non-repudiated, right? My thinking is that XML signatures and digital signatures are a security level above basic certificate-based authentication. Is this correct?

    Requires Free Membership to View

Yes, digital certificates and digital signatures are quite different. Digital certificates are used to verify the trustworthiness of a website, while digital signatures are used to verify the trustworthiness of information. In the case of digital certificates, an organization may only trust a site if the digital certificates are issued by the organization itself or by a trusted certification source, like Verisign Inc. But, this doesn't necessarily mean that the content of the site can be trusted; a trusted site may be infiltrated by a hacker who modifies the site's content.

Digital signatures create a check-sum for the information within an object so the recipient can verify that the content was received unaltered. For example, if you were to send a signed Microsoft Word attachment in an email, and a man-in-the-middle attack occurred in which a hacker somehow got a hold of the attachment in transit, and inserted a malicious piece of code, when the recipient's application examined the attachment before opening it, the content check-sum would not match the altered Word attachment and it would alert the recipient that the content was modified in some way from the original.

Something else to consider: Organizations using digital certificates don't require a relationship with the remote site; they just need the ability to identify which digital certificate authority was used by the site to validate it. However, in the case of digital signatures, the recipient must have a relationship with the sender or hosting site. This relationship is needed to establish where and how the check-sum information will be sent, preferably through a communication channel other than the one used for transportation of the content, in order to reduce the chance of modification. You don't want a hacker to have the ability to modify both the content and the digital signature check-sum. In an un-trusted environment, such as business-to-business (B2B) dealings over the Internet, ideally you would connect to a site using a trusted digital certificate where any content available for transfer was digitally signed to ensure it was unaltered.

This was first published in April 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: