[IP] How a Digital Signature Works
Begin forwarded message:
From: "R. A. Hettinga" <rah@xxxxxxxxxxxxxx>
Date: August 10, 2004 7:34:48 AM EDT
To: cryptography@xxxxxxxxxxxx
Subject: How a Digital Signature Works
<http://www.businessweek.com/print/technology/content/aug2004/
tc20040810_3053_tc024.htm?tc>
Business Week
AUGUST 10, 2004
NEWS ANALYSIS :TECH
By Stephen H. Wildstrom
How a Digital Signature Works
Microsoft's new Service Pack makes life tough for programs lacking the
proper electronic credentials. Here's why
A technology called public key cryptography makes it possible for you
to
make sure that the publisher of any piece of software that claims to be
from Microsoft (MSFT ) or any other publisher really came from there. It
has the added benefit of insuring that the contents weren't maliciously
altered or damaged in transmission. Here's how it works:
The publisher first has to obtain a digital certificate from a
recognized
"certificate authority" or CA (VeriSign (VRSN ) is the largest and best
known CA in the U.S.). The publisher receives a private and a public
key,
each of which is a long number of about 300 digits. These are used to
create a digital signature for each program (see BW Online, 8/10/04,
"Windows of Vulnerability No More?").
When the software is ready to be posted for download, the publisher
runs
it through a mathematical process called a one-way hash which reduces
it to
a long number called the message digest. The message digest is then
encrypted using the publisher's private key, and the result, which looks
like a string of gibberish when displayed, is appended to the program
when
it's downloaded.
HASH SLINGING. The trick of public key encryption -- the best known
approach is called RSA for the initials of its inventors -- is that one
key
can be used to scramble the data while a different, mathematically
related,
key is used to unscramble it. When you download a digitally signed
program,
the first thing your computer does is check the Web site's digital
certificate. It then queries the CA that issues the certificate to make
sure it's still valid and to obtain the public key.
When the download is complete, your computer uses the public key to
decrypt the message digest. It also runs the same one-way hash
procedure on
the downloaded software. If everything is as it should be, the decrypted
message digest and the one just created should be identical. If they
differ
by a single bit, something is wrong and the downloaded software will be
rejected.
For the curious, here's the message digest of the five paragraphs above
(as plain text), created using the MD5 algorithm from RSA Data Security
Inc: c21196eb8e026d47a67883d746c72c8d.
Wildstrom is Technology & You columnist for BusinessWeek. Follow his
Flash
Product Reviews, only at BusinessWeek Online
--
-----------------
R. A. Hettinga <mailto: rah@xxxxxxxx>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
majordomo@xxxxxxxxxxxx
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/