How Digital Signatures Work

Digital signatures are used anywhere you might need to prove that you are communicating with the individual, organisation or service that you expect to be. This might be through digitally 'signing' an email or providing 'signed' software to end users to prove that it's legitimate but the most common use we're all familiar with is the use of HTTPS in browsers.

Secure web browsing relies on Public Key Cryptography and the concept of Digital Signatures to create what is known as a Certificate. I talk about Certificates more in my post about how to create certificates but for now let's look at how Digital Signatures work.

What is Hashing?

Creating a digital signature relies on a concept called 'hashing'. A hash function takes any input data, processes it and produces an output that doesn't contain the original plaintext but is directly linked to it.

An important distinction to make is that a hash isn't encryption, the output may look like encrypted text but it's a one-way process. If you put the same data into a hash function you'll always get the same data back out, but it's impossible to calculate the original data from the hash. There are lots of different hashing algorithms available, from older ones like MD5 and SHA1 which are not considered sufficient today to more modern algorithms include SHA-256 and Keccak.

To give you an example, if I generate a hash of the text "PrivateKey.dev" using SHA-256 I get the following:

93b7c3a1a5baccff0f3825e8595805d84a3fed83d3d5725ce7fbb639e04c0cac

However, if I change that to lower case "privatekey.dev" I get this:

bdbd349579342a66548ed266294c3cf5317b0e912d9913ddc6db71344149a885

And if I hash the first five paragraphs of this blog post I get this:

5914d2534652ea0378113578ee5f1ff0104a4767a6ac0538e7ed9a168750f45f

As you can see, it doesn't matter what the length of the input text is, the output is the same fixed length even if you hash a whole novel. Crucially, however if you change just one character out of the whole book you'd get a completely different hash value.

Creating a Digital Signature

Imaging the scenario where you need to communicate with someone, and it's important to verify that you're communicating with the right person. Public Key cryptography can be used together with hashing to do so, even if you don't need to encrypt the whole message:

  • Alice wants to send a message to Bob, but needs Bob to be sure that the message came from Alice.
  • Alice hashes her message and encrypts the hash with her private key, this creates the 'digital signature'.
  • Alice sends the message and the digital signature to Bob
  • Bob receives the message, then decrypts the signature using Alice's public key.
  • Bob performs his own hash of the document and it matches Alice's hash, proving that the message came from Bob.

So, the concept of a Digital Signature it's really just a combination of hashing and public key cryptography. The two concepts can also be combined to create an encrypted message with a digital signature too.

That's the thing with cryptography, the concepts behind it are often simple, elegant and make sense. The other thing about cryptography is that despite the elegance, it's extremely hard to do it well, hence the common warning "don't roll your own crypto".