Digital signature - what's this?
Digital signature is technology which uses asymmetric cryptography to e.g. prove the origin of data. It is implementation of certain mathematical function by the software and when this mathematical result are append to file, the file is signed (in the fact is using sequence of mathematical functions). Sometimes, the "Digital Signature" is represented as a "Electronic signature". For explanation, the digital signature is electronic signature which has been made by encryption. If we used in this text electronic sign then we think digital sign in the fact (nearly without exception).
To be able to understand right to the process of digital signature we will have to explain several terms.
Symmetric encryption uses only one key for encryption and decryption. In practice it is hard to distribute one key to the all users by secure way. On the other side the symmetric algorithm are fast and neednīt high system requirements. The most known symmetric algorithms are: DES, 3DES, IDEA, BlowFish and CAST.
Asymmetric encryption uses two keys - public and private. Public key is for everyone and private key is secret. Basics of the asymmetric encryption is that data which are encrypted by the public key can be decrypted only by the private key. It's not possible to encrypt and then decrypt by the same key. Asymmetric encryption algorithms are slower and more exacting. For example: RSA, ECC, AES etc.
Hybrid encryption it's a often using compromise which combine both of them. Data are encrypted by symmetric key which is encrypted by the public key of recipient and is sent with the data.
On-line encryption is when the encrypted file is opened by the authorized user and is dynamically decrypted in the memory of computer and finally is open up in corresponding application. The file is automatically encrypted at the end of work. On the other hand, in the case of "off-line" decryption, you will have to decrypt the file manually and then open in the application (e.g.: MS Word document).
HASH represents "digital print" of a given data. It's created when you apply so-called HASH algorithm to the file, itīs output is a number which has predefined length and definite identifies input data. HASH is one way function which mean that you cannot reconstruct the content of the file from the known HASH. If the input data are changing (even small change), result of the HASH fuction will be different important way.
Certificate it's in the main public key with information which definite identify their owner in certain standardized format. Everything is digitally signed (by the owner - so-called self-signed certificate or by the trusted certification authority). Certificates are published to everyone can check the signature of their owner with the help of this certificate.
CRL (Certificate Revocation List) it's a list of certificates which validity has been terminated. It contains serial numbers of certificates a given certificates authority. Mostly can be free downloaded from the CA's web sites. Certificate which serial number is in the CRL is not valid and data signed electronic signature which belong to this certificate are not authentic.
Principle of digital signature creation is relatively simple. At first, the HASH of file is calculated. This HASH is encrypted by the private key and append to file. In some cases can be append certificate of signing person too. Simplify say the digital signature is HASH calculated from signed data and this HASH is encrypted by private key.
Validation of digital signature is done in two steps. At first, the HASH attach to file is decrypted by the help of certificate of signed person. Then the HASH from the file is calculated by the help of the same HASH function and these HASHes are compared each other. If there are no diferences the signature is valid. If in the time between signing and verifing the signature were the content of the file change (or e.g. the file was damage) then the signature is not valid.
Public Key Infrastructure (PKI) determines systems which use technology of digital signature including certain forms of central public keys (certificates) management. As a rule itīs complex system which makes use of technology of digital signature with central storages of particular user certificates optionally private keys too.