Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > Which private keys and public keys can create a digital signature?
Ask The Security Expert: Questions & Answers
EMAIL THIS

Which private keys and public keys can create a digital signature?

Joel Dubin, past SearchSecurity.com expert EXPERT RESPONSE FROM: Joel Dubin, past SearchSecurity.com expert

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 23 February 2007
I want to use public key X.509 certificates for digital signatures, and then have each verified with the user's private key. Can I use a sender's private key and receiver's public key for the digital signature?

>
First, let's review what a digital signature is and how it works. A digital signature is the virtual equivalent of a written signature. The purpose of a digital signature, like its physical counterpart, is to verify the authenticity of a document; it verifies that the sender is who he or she claims to be.

Supposedly, everyone's handwritten signature is unique; so when someone signs a paper document, the signature verifies the signer. But how do you "sign" an electronic document? That's where a digital signature comes in.

Digital signatures use asymmetric or public key encryptions to create their signatures. A public key encryption involves a key pair: one public and one private. The two keys are mathematically related but can't be generated from each other. The public key, as the name implies, is openly available to anyone who wants it. It can be posted to a public key server, as in a public key infrastructure (PKI) system. The private key, on the other hand, is kept on its owner's system, never to be transmitted publicly.

The sender of an electronic document uses their private key to encrypt that document; this is the digital signature. The receiver then decrypts the signature with the public key to verify that it matches the attachment. Private keys are specifically assigned and unique to each user, providing verified authenticity to the sender's message.

Public key encryption is quite slow. In practice, instead of encrypting the entire message to create the signature, messages are hashed and then encrypted with the private key. Since hashes are the same size regardless of the length of the original message, performance isn't affected.

There is one problem though -- verifying the public key. The X.509 certificates you describe are part of a PKI system that issues digital certificates to confirm public keys. Digital certificates are issued by trusted third parties called certificate authorities (CA), such as Verisign, which verifiy an applicant's identity before issuing a digital certificate.

Only the sender's private key can be used for creating the digital signature. The corresponding public key -- verified with the certificate -- is used to confirm the digital signature. The recipient can only use his or her key if he or she is encrypting the message. Affirming the message is done solely with the sender's public key.

For more information:

  • Be aware of the expiration date when choosing a digital certificate.
  • Learn the best methods for successfully unlocking encryption keys.


    • BROWSE BY TAG
    Identity Management and Access Control,   PKI and Digital Certificates,   Enterprise Identity and Access Management,   User Authentication Services,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED CONTENT
    Identity Management and Access Control
    Is Identity Management as a Service (IDaaS) a good idea?
    How to log in to multiple servers with federated single sign-on (SSO)
    How to confirm the receipt of an email with security protocols
    Learn about enterprise strategy for server virtualization single sign-on
    Employee information security awareness training for new IAM systems
    Can you combine RFID tag technology with GPS to track stolen goods?
    Is there a free enterprise-caliber password-management tool?
    Cryptosystem attacks that do not involve obtaining the decryption key
    Can any firm or organization get a digital signature certificate?
    Should the CTO have domain administrator access?

    PKI and Digital Certificates
    Best Authentication Products
    DoD urges less network anonymity, more PKI use
    Researchers to demonstrate new EV SSL man-in-the-middle hacks
    Portable security storage device could replace OTP devices
    What is most misunderstood about EV SSL certificates?
    VeriSign addresses MD5 flaw
    Rogue digital certificates strike blow to Internet security
    Can any firm or organization get a digital signature certificate?
    How to obtain a digital certificate for a server
    PKI and digital certificates: Security, authentication and implementation
    PKI and Digital Certificates Research

    Expert Archive: Identity Management and Access Control
    Enterprise password management policy: Finding the balance
    How to conduct a periodic user access review for account privileges
    Options for a mechanical door security system on a server room door
    Comparing access control mechanisms and identity management techniques
    User provisioning and SSO for PeopleSoft- and Unix-based products
    Could someone place a rootkit on an internal network through a router?
    Should a new user have to confirm an email address to gain access?
    Can home PCs provide a way for viruses and spyware to enter a corporate LAN?
    What should an enterprise look for in a password token and a vendor?
    Using batch files for temporary user access to the local admin group

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    authentication server  (SearchSecurity.com)
    Certificate Revocation List  (SearchSecurity.com)
    Digital Signature Standard  (SearchSecurity.com)
    HDCP  (SearchSecurity.com)
    MD2  (SearchSecurity.com)
    MD4  (SearchSecurity.com)
    MD5  (SearchSecurity.com)
    nonrepudiation  (SearchSecurity.com)
    PKI  (SearchSecurity.com)
    public key  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts