Free Monthly Newsletter...and much more!

5 Star Support - Free Computer Help and Technical Support

 

.
 
Google

 

What Is A Digital Signature

09/16/07

Posted by Dave
5 Star Support Security Specialist

I have been asked a number of times "just what is a digital signature anyway". Lets talk about this so you will understand what a digital signature is, what it does, and why it is important.

Before beginning, let me say that the creation and use of digital signatures involves the use of third party software and the process can be a bit tedious and complex. For these reasons, I do not recommend this process for average personal email that most of you use, but it is still important that you understand what a digital signature really is as well as how it is created and used.

First, a digital signature is a way to verify that an email message is really from the person who is supposed to have sent it and that it has not been changed. You may have received emails in the past that have a block of letters and numbers at the bottom of the message and there is usually the statement "Digital Signature" directly above that block. Many people dismiss this block as a bunch of garbage that nobody can understand anyway. Not true. Although it may look like useless text or an error from your browser or email client, this block is actually a digital signature. To generate a signature, a mathematical algorithm is used to combine the information in a key with the information in the message. The result is the random-looking string of letters and numbers that you see.

Because hackers, attackers and malware of many kinds (viruses, worms, trojans) can spoof email addresses, it can become difficult to identify and/or confirm the legitimacy of an email message. Authenticity of a message can be especially important for business correspondence especially if you are relying on someone to provide or verify information. You want to be sure that the information is coming from toe correct source. A properly digitally signed message also indicates that the message has not been tampered with and changes have not been made to the content since the message was sent. Any tampering or changes of any kind would cause the signature to break, and the breaks or spaces would be quite evident to the recipient.

Before discussing how this all works, it is first important that you understand some terms:

Keys-

Keys are used to create digital signatures. For every signature, there is both a public key and a private key.

Private Key The private key is the portion of the key you use to actually sign an email message. This private key is protected by a password, and it should never be shared with anyone.

Public Key The public key is the portion of the key that is available to other people. The public key can be uploaded to a public key ring or sent to someone, and is the key that other people can use to check your signature against. A list of other people who have signed your key is also included with your public key. You will only be able to see their identities if you already have their public keys on your key ring.

Key Ring A key ring contains public keys. You have a key ring containing the keys of people who have sent you their keys, or keys you have obtained from a public key server. A public key server contains the keys of people who have chosen to upload their keys to be publicly available.

Fingerprint When confirming a key, you are actually confirming the unique series of letters and numbers that comprise or make up the fingerprint of the key. The fingerprint is a different series of letters and numbers than the block of letters and numbers that appear at the bottom of a digitally signed email message.

Key Certificates When you select a key on a key ring, you will usually see the key certificate that contains information about the key, such as the key owner, the date the key was created, and the date the key will expire.

Web Of Trust When someone signs your key, they are confirming that the key actually belongs to you. The more signatures you collect, the stronger your key becomes. If someone sees that others that the viewer can trust have signed your key, your key will be more inclined to be trusted as well. By the way, just because others have signed a key does not mean you should automatically trust it as well. Always verify the fingerprint for yourself.

There is a process for creating, obtaining and using keys for digital signatures:

1. Generate a key using software such as PGP (Pretty Good Privacy) or GnuPG (GNU Privacy Guard).
2. Increase the authenticity of your key by having your key signed by co-workers or others that also have keys. By signing your key, they will confirm that the key you sent to them actually belongs to you. By doing this, they verify your identity and indicate trust in your key.
3. Upload your key to a public key ring so that if someone receives a message with your digital signature they can verify it.
4. Digitally sign your outgoing email messages. Most email client programs have a feature to easily add your signature automatically to all outgoing messages.

Please also note that use of the above two mentioned programs would also allow you to encrypt email or other files. This is good for very sensitive information that you cannot afford to have anyone else but the intended recipient see, but it is really not necessary for the average email correspondence. File encryption can become complicated for the average user and can significantly increase the time and methods needed to save and retrieve your files, especially if you choose to encrypt an entire drive.

By now you should hopefully have a basic understanding of digital signatures, how they are created, and how they work.

Until next time here on 5 Star Support, happy computing!

Dave

[
Top]

 
 
 

   Site Map  | About 5 Star Support  | Links | Comments
    Privacy Policy  | Terms of Use  | Newsletter Archive  | Awards
Usage of this site constitutes acceptance of our Terms of Use
Copyright 2000-2014  5 Star Support All rights reserved.