"Matt" <firstname.lastname@example.org> writes:
> I'm currently studing for the Security+ exam and the Sybex book I'm
> reading really does't fill in the gaps with cryptography. I have read
> articles on the web and other chapters from different books.
> Can someone please explain Digital signatures to me? I understand that
> they are used to validate who a person is. I don't understand how they
> are created and what key is used to encrpyt them, etc.. Really couldn't
> find to much more info on them.
> Also is there a difference between a cipher and a hash? Is ciphertext
> the same thing as a message digest? When you do use a cipher or hash
> does the other side needs to know what algorithm you used? Is this sent
> with the message??
> Can someone please help clear up these topics or quide me towards some
> reading material that will.
nist has secure hash standard .... basically computes a short-hand
representation of a document. http://csrc.nist.gov/cryptval/shs.htm
and the digital signature standard http://csrc.nist.gov/cryptval/dss.htm
the basic technology is asymmetric (key) cryptography; what one key
(of a key-pair) encodes, the other key (of the key-pair) decodes
(differentiates from symmetric key cryptography where the same key is
used for both encryption and decryption.
a business process is defined called public key; where one key is
designated as "public" and freely distributed and the other key is
designated as "private" and kept confidential and never divulated.
there is a business process called digital signature. somebody
computes the hash of a message/document and encodes the hash with
their private key to create a digital signature ... and then transmits
the message/document along with its digital signature.
the recipient recomputes the hash of the document, decodes the digital
signature with the appropriate public key and compares the two
hashes. if the two hashes are the same, then the recipient can
1) the document hasn't been modified since the digital signature
2) "something you have" authentication ... aka that the originator
has access to and use of the corresponding private key.
from 3-factor authentication model http://www.garlic.com/~lynn/subpubkey.html#3factor
* something you have
* something you know
* something you are
given that the key designated "private" is appropriately guarded, kept
confidential and never divulated ... then a digital signature
validated with the corresponding "public" key would only have
originating from the designated "private" key owner.
to further increase the integrity of digital signature operations,
hardware tokens can be used, where a public/private key pair is
generated inside the token, the public key is exported, and the
private key is never revealted. the hardware token is required to
perform digital signature operations (further strengthening the
integrity of the "something you have" authentication operation).
a straight-forward deployment is to take something like RADIUS ... http://www.garlic.com/~lynn/subpubkey.html#radius
which is used by the majority of the world-wide ISPs for dial-up
customer authentication ... typically using password ... and
replace the registration of a shared-secret password http://www.garlic.com/~lynn/subpubkey.html#secret
with a public key. Then instead of using password authentication,
where the client transmits the passowrd ... the client instead
computes a digital signature (using a defined message and the
corresponding private key). The server then validates the digital
signature with the registered public key (for "something you have"
authentication, in place of the password, shared-secret, "something
you know" authentication).
there was a business process created called PKI involving
certification authorities and digital certificates to address the
first time communication between strangers for the offline email
environment of the 80s (somewhat analogous to the "letters of credit"
from the sailing ship days). THe scenario involves somebody dialing up
their local (electronic) post office, exchanging email, and hanging
up. They then may be faced with handling first-time email from a
straonger ... having no local information about the person originating
the email and/or having any online access to authoritative source for
obtaining information about the originator.
A more detailed description of that scenario http://www.garlic.com/~lynn/2005p.html#32
PKI Certificate question
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/