PKI digital signatures can be found virtually everywhere from digitally signed emails and software to secure websites. Well break down what a PKI signature is and how it helps protect your datas integrity
Remember when you were a kid and your parents told you that if you put your mind to it, you can do or be anything you want? Well, on the internet, that is kind of true. You can pretty much make your own truth about yourself you could be a teenager, an adult, or a companys CEO. Without a way to prove your claims are legitimate, no one will be any the wiser.
Cybercriminals know this and love to take advantage of it. Thats why we have all the issues that we do today relating to phishing other sorts of predatory cyber attack techniques. Before the internet, you had to meet up with someone face to face to securely exchange information or send coded, encrypted messages.
But now that people are communicating and doing business with others across the world instantaneously, face-to-face meetups are no longer feasible in most cases. So, to protect yourself and your customers, you need to have a way to prove your identity online and help people know that your emails, files, and software are legitimate and havent been faked. This is where PKI signatures come into play.
But what is a public key signature? How is a digital signature different from other electronic signatures? And where can you find PKI digital signatures in action?
Lets hash it out.
Before we can dive head-first into the nitty-gritty of public key signatures, it would be smart to at least briefly recap what a digital signature is as well as the role it plays in public key infrastructure (PKI). After all, you cant run the play if you dont know the rules.
A PKI signature is a form of verifiable digital identity that helps you prove you (or something you create) is real. In a way, its kind of like a fingerprint because its something that uniquely identifies you. However, its more than just identity. A digital signature is a way for your organization to affirm its legitimacy through the use of a digital certificate (such as a code signing certificate) and a cryptographic key.
In a nutshell, using a PKI digital signature enables you to attach your verifiable identity to software, code, emails, and other digital communications so people know theyre not fake. This helps you:
If that all seems a bit complicated, lets break this down with more of a simple analogy
A PKI signature is the modern equivalent of a wax seal that people historically would use to secure sensitive communications. Before the internet or the invention of the telephone, people would either meet up in person or communicate remotely via written letters. Of course, without digital communications, these messages would have to be delivered by hand via train, boat, or horseback riders which means that these messages could be intercepted on their way to their intended recipients.
Say, you want to send a sensitive message to a friend. Youd want to have a way to let them know that you signed it and that the message hasnt been tampered with in any way. Years ago, youd use a wax seal to achieve this. This process would entail:
When your friend receives your message, theyll see that the wax seal intact. This unbroken wax seal indicates that your message is legitimate in two crucial ways:
In much the same way, communications on the internet also need to have these same types of protections. While theyre not being sent by horseback, digital communications pass through a lot of hands as they transmit across the internet in the form of servers, routers, and other intermediates until they reach the right destination. This means that cybercriminals would have many opportunities to alter or manipulate your information in transit if there wasnt a way for the recipient to verify the messages integrity.
Heres a great video from Computerphile that helps to explain PKI digital signatures in another way:
People often mistakenly conflate PKI digital signatures and electronic signatures as being the same, but thats not quite true. Yes, a digital signature is a type of electronic signature, but not all electronic signatures are digital signatures. Its kind of like how all iPhones are smartphones but not all smartphones are iPhones. Sure, they both are a way to say youre someone on the internet, but only one of them (*cough*PKI signature*cough*) can actually help you prove your identity because its more than just an online signature that can be altered.
Its kind of like getting an autograph of your favorite athlete like, say, quarterback Tom Brady. (Sorry, Pats fans, Tom is ours now! #TampaBayBucs) Sure, you could just walk up to Tom at a bar and ask him to sign something. But without having some way to authenticate that his signature is real like, say, an official certificate of authenticity then someone could argue that anyone could have signed his name.
Or, for all they know, you really could have gotten Tom to autograph one item. But what would stop you from sitting at home on the weekends, using his signature as an example so that you can forge his autograph on a bunch of Buccaneers team gear that you want to sell? Well, nothing, unless your prospective buyers had a way to verify the autographs legitimacy.
This is kind of like the difference between an electronic signature and a digital signature:
To really get at the heart of understanding public key signatures, you need to know about two cryptographic processes that play pivotal roles in their creation: encryption and hashing.
This cryptographic process takes a mathematical algorithm and applies it to plaintext (readable) data to scramble it into an unreadable state. It can use:
As you can see, there are some key differences (excuse the pun) between asymmetric and symmetric encryption. Regardless of those differences, the process is, essentially, reversible (using the decryption key), which means that encryption is a two-way function.
In digital signatures, encryption is used to specifically encrypt the hash data to create the digital signature. (It doesnt encrypt the file or email you want to digitally sign it only encrypts the hash value.)
Hashing is a cryptographic function that also applies a mathematical algorithm to data and files. However, its purpose is different than an encryption algorithm a hashing algorithm takes data of any length and maps it to an output (hash value) of a specific length. For example, you can take a single sentence or an entire book, apply a hash function to it, and the result will be an output (hash value) of the same length.
Because the process isnt reversible, theres not a key that reverts or maps the hash value back to the original input. This means that hashing is a one-way cryptographic function. (You know because hashing only works in one direction.)
In truth, digital signatures can be found all across the internet. For example, you can use digital signatures in the following applications:
A website security certificate, or whats known as an SSL/TLS certificate, is one of the most central components of security on the internet. Installing this certificate on your server enables you to secure your website using the secure HTTPS protocol. Enabling HTTPS means that whenever customers connect to your website, their individual connections (and any data they share during their session) will be secured using encryption. This is what makes that nifty little padlock icon appear in your browser.
A digital signature is a part of whats known as the TLS handshake (or what some people still call the SSL handshake). We wont get into all of the specifics here, but the first part of the handshake involves the websites server and users browser exchanging information (including the servers SSL/TLS certificate and digital signatures) via an asymmetric encrypted connection. Using a digital signature helps the server prove that its the legitimate server for the website youre trying to visit.
A document signing certificate enables you to apply your digital signature to many types of documents, including Microsoft Office documents and PDFs (depending on the specific certificate you use). Heres a quick example of what a digital signature looks like:
Using an email signing certificate (i.e., an S/MIME certificate) allows you to apply your digital signature to your emails. This provides identity assurance and protects the integrity of your communications.
Note: For extra security, you can also use this certificate to send encrypted emails (to users who also use email signing certificates). This provides secure, end-to-end encryption that protects your data both while its bouncing between servers and routers and sitting on your recipients email server.
Using a code signing certificate helps you to protect your supply chain. It also offers assurance to users who download your software that your software is both legitimate and unmodified.
When you sign your certificates using a code signing certificate, youll display your verified company organization information (as shown in the screenshot on the right):
Of course, unsigned (and software signed using standard code signing certificates) can also trigger Windows SmartScreen warning messages as well the difference would be that digitally signed software would display the verified publisher information instead of Unknown publisher.
To avoid displaying Windows SmartScreen messages, be sure to sign your software, code, and other executables using an extended validation code signing certificate. Using this PKI digital signature ensures Microsoft and its browsers automatically trust your software.
Remember the SSL/TLS handshake that we mentioned earlier? Well, in two-way authentication, or whats known as mutual authentication, both the server and the client prove their identities to one another. This means that in addition to the server providing its information to the client, the client must do the same by providing information to the server.
This information includes a generated hash value, digital client certificate, and cryptographic public key. The client generates the hash using data it exchanges with the server and encrypts the fixed length string using its private key (which is mathematically related to the public key it shares).
Heres a basic overview of how this process works:
Public key signatures are essential in an internet-oriented world. As more companies are moving to the cloud and relying on this public network to conduct business and provide services, the roles of identity and integrity in security become more important.
Of course, weve talked about the reasons why its so important at length in a previous article. Be sure to check out our article on why you should use digital signatures to sign everything. But well quickly summarize the key reasons here for you about why digital signatures matter:
Thanks to all of you whove stuck through this article to get to this point. For those of you whove decided to skip to the end for the too long; didnt read portion of our article, welcome. We know your time is precious, so heres a quick overview of what weve covered in this article so you can skim and head out on your way.
All of this is to say that this cryptographic technique is all about helping companies prove their authenticity and giving users a way to verify that files, software, and other information havent been manipulated or altered since they were digitally signed.
Stay tuned next week for a related article that will break down how digital signatures work.
View post:
Public Key Signature: What It Is & Why It's Everywhere - Hashed Out by The SSL Store
