InfoCenter Home > 5.5.2: Introduction to digital signaturesA digital signature is a number attached to a document. For example, in an authentication system that uses public-key encryption, digital signatures are used to sign certificates. This signature establishes two different things for you:
A digital signature is created in two steps. The first consists of distilling the document down into a large number. This number is the digest code or fingerprint. The digest code itself is then encrypted, resulting in the digital signature. The digital signature is appended to the document from which the digest code was generated. There are several ways of generating the digest code--WebSphere Application Server supports the MD5 message digest function and the SHA1 secure hash algorithm--but all of them reduce a message to a number. This process is not encryption; rather, it is a sophisticated checksum. The message cannot be regenerated from the resulting digest code. The crucial aspect of distilling the document down to a number is this: if the message is changed, even in trivial way, a different digest code results. This means that when the recipient gets a message and verifies the digest code by recomputing it, any changes in the document will result in a mismatch between the stated and the computed digest codes. If a message is changed, the resulting digest code changes as well. So far, there is nothing to stop someone from intercepting a message, changing it, recomputing the digest code, and retransmitting the modified message and code. We need a way to verify the digest code as well. This is done by reversing the use of the public and private keys. For private communication, it makes no sense to encrypt messages with your private key; these can be decrypted by anyone with your public key. But this technique can be useful for proving that a message must have come from you. No one else could have created it, since no one else has your private key. If some meaningful message results from decrypting a document by using someone's public key, it verifies the fact that the holder of the corresponding private key did, in fact, encrypt the message. The second step in creating a digital signature takes advantage of this reverse application of public and private keys. After a digest code has been computed for a document, the digest code itself is encrypted with the sender's private key. The result is the digital signature, which is simply attached to the end of the message. When the message is received, the recipient follows these steps to verify the signature:
|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|