Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Digital Signatures, a brief explaination

By Neuromancer in Culture
Fri Jun 30, 2000 at 03:52:45 PM EST
Tags: Security (all tags)
Security

With the question as to what a digital signature is posted under the submission about the legality of digital signatures in Ireland. I thought that I would compose a brief explaination of what they are. (At least until I need to get some work done).

If you are interested in a brief introductory explaination, please read on. This is not intended to be perfect or faultless, just a low enough level explaination that someone unfamiliar with encryption technology can understand it.


With the question as to what a digital signature is posted under the submission about the legality of digital signatures in Ireland. I thought that I would compose a brief explaination of what they are. (At least until I need to get some work done).

If you are interested in a brief introductory explaination, please read on. This is not intended to be perfect or faultless, just a low enough level explaination that someone unfamiliar with encryption technology can understand it.

First, to understand what a digital signature you have to understand what a hash function is. A hash function is a function that is run on data, and returns different data. That is about the best way to describe it. A one way hash is a function that once run, cannot be worked backwards to get the data back in it's original form. In digital signatures, there are 2 hashes run. The first condenses the document being signed into a much shorter form, in order to save space. This is not a compression, the data cannot be restored. This is just making data that can be linked to the original in some way, that takes up less space. Next, the condensed form is encrypted, using the private key from a method of public key encryption.

What is public key encryption you may ask? Public key encryption is a form of encryption in which there are 2 keys (usually). One key is private, the other is public. Files encrypted using one key, can only be decrypted using the other. The keys are interchangable, IE, you can say, this one is my public key, and this one is my private key.

The advantage to this is that you do not have to protect the public key. You can post it on the web, and there is no (easy) way to figure out what your private key is in this process. This has to do with the keys being generated by a function involving a number that is the product of 2 large prime numbers. Factoring the product of 2 large primes is what in math is referred to as a "hard problem," or one that it is impossible to quickly solve (as far as we know).

On to the fun part. Now, your document has a digital signature on it (remember, we condensed and encrypted it). Anybody that it is being sent to, or that wishes to verify that you signed it needs to do the following things. First, decrypt the signature. This is easy, (remember, they can decrypt things encrypted with your private key by using your public key). Next, they take the original, and run the same condensing function on it. If the 2 condensed versions are the same, you have a validly signed document that is now legally binding in Ireland.

Hope you all learned something, here are a few links to get you started if you want to learn more.

PGP FAQ
PGP is a popular form of encryption. It is public key encryption and can be used to create digital signatures.

Everything's node on the subject

Have fun.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o PGP FAQ
o Everything 's node on the subject
o Also by Neuromancer


Display: Sort:
Digital Signatures, a brief explaination | 24 comments (12 topical, 12 editorial, 0 hidden)
(none / 0) (#10)
by Louis_Wu on Fri Jun 30, 2000 at 01:15:43 PM EST

What public key encryption is there besides PGP/GPG? I have PGP, but I'm interested in learning about other kinds/methods. Neuromancer says that public key pairs can be interchanged. I didn't know this, I haven't heard of this in the last four years, and I'm wondering if it's always true (or just with some methods) and what aspects of public keys allow them to be interchanged. (BTW, I am not thinking that a key you've released to the public can be magically interchanged with the private key, I'm just wondering if there are any differences between the two keys. I thought that there were significant differences in the creation of the two keys.)

Louis_Wu
"The power to tax is the power to destroy."
John Marshal, first Chief Justice of the U.S. Supreme Court
I didn't mean to be misleading (none / 0) (#13)
by Neuromancer on Fri Jun 30, 2000 at 03:33:09 PM EST

Some encryption schemes, you can do that, in most implementations of PGP, the key generator does all of the picking and choosing for you. The final result private key is also encrypted in order to protect it on your hard drive.

[ Parent ]
how do these laws (none / 0) (#14)
by tacklebeth on Fri Jun 30, 2000 at 04:20:20 PM EST

How do these laws ensure who the digital signature belongs to in real life. I can steal a credit card and ss# of someone and pretend to be them and create a digital signature as them. If I sign something (handwritten) as them if found out the real peson can just sign and a handwritting expert can tell the two appart. IE. not everyone has a digital signature to compare against if fraud has taken place. Tackle

Re: how do these laws (none / 0) (#15)
by Nater on Fri Jun 30, 2000 at 07:14:06 PM EST

The major issue here is that an ink sig is tied to the individual by way of the fact that each individual has a unique style of writing. Digital data is not tied to its user in this way unless biometrics are used.

I think ultimately that some sort of biometric private key will be necessary for a legal dig sig. Even this has its problems, but then again my boss signs his wife's name on my paycheck without any trouble. The problem is then reduced from "who can conceivably access your private key" to "who can conceivably access your private biometric data". And that restricts the cast of suspects to those in your physical vicinity who might be able to capture that data.

i heard someone suggest that we should help the US, just like they helped us in WWII. By waiting three years, then going over there, flashing our money around, shagging all the women and acting like we owned the place. --Seen in #tron


[ Parent ]
I just don't know (none / 0) (#16)
by FlinkDelDinky on Sat Jul 01, 2000 at 03:38:34 AM EST

I'm not entirely comfortable with this...

First off, with all the theories of the (supposedly) up an comming quantum machines Then I think reading encrypted documents will be as easy as reading K5.

Second, if they some how 'improve' this tech by tying it to your biology I'm still worried. We just mapped the human genome and how far behind can clones be?

I can easily for see the day when a mad scientest will use the above expsensive and exotic technology to break into my bank account and steal all 60 of my dollars. Ummm, well, maybe not me, but Bill Gates better whatch his ass on this one.

Re: I just don't know (none / 0) (#17)
by hypatia on Sat Jul 01, 2000 at 06:17:40 AM EST

Then I think reading encrypted documents will be as easy as reading K5.

It depends on how they're encrypted. I believe the RSA algorithm is vulnerable, as its hardness is based on the difficulty of factorising numbers with large prime factors (much harder than proving the primeness of a number) - difficulty being the time complexity of the problem.

Apparently the time complexity of factorisation is much improved using quantum computing techniques. At the very least, the lower bound on number-sizes that can't be broken in a 'reasonable' period of time will be much much larger.

However, that doesn't mean all encryption is insecure - I read (The Fabric of Reality by David Deutsch) that messages can be made perfectly unbreakable (in that the attempt destorys the message) using quantum techniques - although then they have to transmitted using those techniques and the transmission might not be long range.

Can anyone post an explanation (I won't subject you to my high-school level physics)?



[ Parent ]
Re: I just don't know (none / 0) (#19)
by Anonymous Hero on Sat Jul 01, 2000 at 01:06:47 PM EST

"Quantum encryption" is not really encryption, it's just a way of verifying that a communications line is not being tapped. If you're running a direct fibre to the person you're talking to, it can work, if you're communicating over the public Internet, forget it. However, symmetric encryption is not broken by quantum computers according to Bruce Schneier--they can only have the effect of halving the number of bits, so with 256-bit encryption you're okay. Public key algorithms are trickier, but I've heard that NTRU (check Google) is resistant.

[ Parent ]
Re: I just don't know (none / 0) (#21)
by LordMcD on Sat Jul 01, 2000 at 05:42:09 PM EST

On Quantum Transmisisons, simplified.

"Untappable" quantum communications are based upon Heisenburg's Uncertainty Principle (read The Physical Principles of the Quantum Theory - Heisenberg 1930), and the theories of Bohr, Einstein, and Schrödinger.

The idea, in layman's terms, is that one cannot definitively measure quantum objects - any such measurements are inherently uncertain. Imagine this: a snooper wants to measure the relative position and wavelength of a photon (light particle) in a fiber-optic line, which represents one of the bits in your email transmission across the line. One must observe such a particle indirectly. To literally "see" a particle we measure - with our eyes or instuments - how photons are reflected back from the particle in question. By measuring their speed, position, and wavelength, we can infer the analagous qualities of our target.

The kicker comes when we realize that by observing a particle (particularly a quantumly-excited one), we necessarily change the characteristics of that particle. We can observe the speed, position, or wavelength of a particle by bouncing a photon off of it, but at the next instant, after the collision, the trajectory and wavelength of the particle are different, and the original information is LOST. (The we cannot ever know both the location and velocity of a particle). The detector at the other end of the fiber-optic line will notice that someone has attempted to observe the data en route (Man-in-the-Middle attack), and act accordingly - by sending another request using a new encryption key, etc. Of course, implementing such a system is currently limited to very short distances (meters, perhaps?).

Quantum computing works on other principles that I am less familiar with, but certain kinds of mathematical problems will be made much simpler with the quantum computers - problems which include prime factorization, a process which in integral to breaking many modern forms of encryption.

[ Parent ]

DIY (3.00 / 1) (#18)
by Coram on Sat Jul 01, 2000 at 12:47:22 PM EST

Uuuh.. I strenuously suggest that anyone considering accepting the spoonfed explanation above read up on public key encryption.

It sounds like the author is confusing symetric key encryption with public key encryption. google is your friend, for those seeking a quick databurn there's an appropriate link below.

http://developer.netscape.com/docs/manuals/security/pkin/contents.htm

--
judo ergo sum
Re: DIY (none / 0) (#20)
by Anonymous Hero on Sat Jul 01, 2000 at 01:15:52 PM EST

I don't see your objection. I've read my Schneier, and he seems to have it dead on. Nothing he said relates to symmetric encryption.

You may be thinking of the fact that generally we use symmetric to encrypt, because it's faster, and assymetric to exchange. But for signatures, it's fine to just use your private key to encrypt the hash of your document. Anyone with the public key can decrypt the hash, compare to their own hash of the document, and if they match your signature is verified. Pretty simple.

Incidentally, it's important always to encrypt the hashes, not the documents themselves, with your private key. This counteracts a potential vulnerability in RSA--see Schneier if you need details.

[ Parent ]

Can't someone just copy it? (none / 0) (#23)
by speek on Mon Jul 03, 2000 at 04:46:20 PM EST

Why can't someone just copy my signature and then use it themselves to sign something?

If I sign an email, and send to someone, can't they simply copy and paste it and send it to somebody else, pretending to be me? If that other person uses the public key to decrypt it, and then hashes the original, it seems like it'll work. Is there another step going on that wasn't explained?

--
al queda is kicking themsleves for not knowing about the levees

Hashing (none / 0) (#24)
by Neuromancer on Mon Jul 17, 2000 at 01:43:46 PM EST

The hash can't be used to recover the private key. The hash is made up of the file, and then encrypted with the key. Because the signature is made from the hash, the signature will be unique for each file.

[ Parent ]
Digital Signatures, a brief explaination | 24 comments (12 topical, 12 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest © 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!