Digital Signature in Simple Terms

A key function of digital singatures is to ensure that the sender of a message is who he claims to be. In this post we will go in a step by step manner and cover the concepts behind digital certificates in simple terms.

Consider two people named Alice and Bob sitting in front of their computers.



Alice wants to send a message to Bob. Our only task in this post is to ensure that when Bob receives the message, he is sure that it came from Alice. We are not concerned about encrypting the data itself.

Cryptography Basics

Encryption is a function which has following inputs and outputs:
Inputs: plain text, key
Output: cipher text
Plain text is what we can read and understand while cipher text is mangled up form of plain text that we cannot read and understand. Decryption is reverse of encryption. Its inputs and outputs are given below.
Inputs: cipher text, key
Output: plain text

Based upon the key, there are two types of cryptography: symmetric and asymmetric. Symmetric cryptography uses the same key for both encryption function and decryption function. Asymmetric cryptography uses different keys for encryption and decryption. We are interested in asymmetric cryptography, specifically its sub-type called public key cryptography.

In public key cryptography the encryption and decryption keys form a pair called public-private keys. Every participant in a communication network is given this pair of keys, one public which is known to every participant in the network and one private which is known only to the particpant to whom it belongs. In our case, Alice will have her pair of public and private keys and Bob will have his pair of public and private keys. Alice’s and Bob’s public keys will be known to both while private keys will only be known to their respective owners.

Public Key Cryptography

Public Key Cryptography

The distinguishing feature of public key cryptography is this: a message encrypted using private key of a person can only be decrypted using public key of that person and a message encrypted using public key of a person can only be decrypted using private key of that person.

Next in cryptography basics, we’ll take a quick look at hash functions. Hash functions can have different inputs but we will concern ourselves with following inputs and outputs:
Inputs: variable length message
Output: fixed length code called hash code or just hash
No matter what the size of the variable length message, the hash will always be of fixed length. Two properties of a hash function are:
– There is a very little chance that it will generate the same hash code for two different messages.
– It is impractical to find the input message, given a hash code. That is, hash function is a one-way function.

That’s it for the basics.

Message Digest and Digital Signature

Let’s go back to our original task which is to ensure Bob that a message sent from Alice is actually from Alice and not from a malicious intruder. We will do this by digital signature and use message digest to achieve the digital signature.

Digital signature means that the message is actually from the sender that it claims to come from. Digital signature is a concept and message digest is a way to implement digital signature. So understanding message digest means understanding implementation of digital signature. Message digest is encrypted hash of a message. This is how you create a message digest:

1. Take the message and generate a hash code.
2. Encrypt it using sender’s private key.

Processing on Alice's side

Processing on Alice’s side

Message digest is the digital signature. It is sent along with the message. Following steps describe how the receiver uses message digest to verify that the sender is who the message claims to come from.

1. Use the sender’s public key to decrypt message digest and obtain hash code of the message.
2. Generate hash code of the message.
3. Compare the two hash codes in steps 1 and 2 above.

Processing on Bob's side

Processing on Bob’s side

If the two hash codes are same then it means that the sender is who the message claims to be, otherwise not. Why? Because only the sender knows his private key and only that sender’s public key can correctly decrypt the message digest. The fact that two hash codes match confirms that the decryption was indeed correct. Hence the public key was the right one to use. Since public key belongs to the sender that the message claims to come from, it must be the actual sender of the message.

In our example, Alice will create hash H of the message and then encrypt it using her private key. Then she will send the message over to Bob. Bob will decrypt message digest using Alice’s public key. Then he will compute hash of message and compare the two hashes to make sure they are equal.