Digital signatures

A digital signature is information that is attached to data to assure the recipients of the data that it has not been altered and has originated from the signer of the message. Digital signatures perform an equivalent function to a handwritten signature on a paper document.

A digital signature consists of a message digest encrypted with the message sender's private key. The message digest, which is much shorter than the original message, is created from the message using a process known as hashing. It is not possible to reconstruct the original message from the message digest. The message, when combined with the signature, is a signed message.

The receiver of a signed message attempts to decrypt the signature using the sender's public key, thus changing it back into a message digest. Success indicates that the message was signed by the sender, because only the sender has the private key. The receiver then hashes the document data into a message digest, and compares it with the message digest obtained by decrypting the signature. If both digests are the same, the receiver can be sure that the signed message has not been changed.

A digital signature does not provide confidentiality. In other words, data that is not encrypted data can bear a digital signature.

Knowledge of a public key does not guarantee the identity of the owner of the corresponding private key, and so encryption of information with a public key cannot, on its own, prevent encrypted information falling into the wrong hands. Before a public key can be safely used to encrypt or decrypt information, the identity of the holder of the private key must be assured. This assurance is provided by a digital certificate which binds the public key to the identity of the private key's owner.