Digital Signature
I’ll describe here in short how signing works:
A key is a pair of a private key and a public key. These two key have the property that what is encrypted with one can be decrypted with the other. So if you encrypt something using the private key, it can be decrypted using the public key, and vice-versa. You keep the private key secret, so that only you can use it. When you sign a document, a message digest (MD) of the document is computed. A MD is a secure hash of the document; it has the property that each document has it’s own MD. You can’t find a different document which has the same MD as a given document. Because of this, the MD can be seen as a characteristic of the document. If you make any change to the document, its MD changes. So you compute the MD of the document you want to sign, and afterwards you encrypt the MD using your private key. This encrypted MD represents your signature of the document. The signature assures two things: that you indeed signed the document (non-repudiation), and that the document wasn’t changed from the form that you signed (integrity). Now let’s see how the signature is verified: another person receives the document together with the signature (the encrypted MD), and wants to check if the document was signed by you. He decrypts the MD using your public key, and also computes a new MD of the document. If these two MDs are the same (the computed one, and the one decrypted from the signature using your public key), it means that indeed you signed the document. If they’re not equal, it means that either the document was signed with a different key (i.e., it wasn’t signed by you), or that the document was modified since you signed it.
There is also a different aspect: how is the person who verifies the signature sure that the public key he thinks is yours really is yours? Non-repudiation means that once you signed a document, you can’t deny that you signed it. You may try to say something like: that public key is not mine; so it’s not me who signed the document; it’s not my signature
. In order to make such denial impossible, the person verifying the signature wants to be sure that the public key really is yours, and that you can’t deny this fact. This is achieved by having your public key certified by a Certification Authority (CA). A CA is an organization which verifies (at your request) your identity, and emits a certificate declaring that the given public key is yours. This certificate is signed by the CA. So this certificate, signed by a CA, is the mechanism which makes the link between a public key and a real-world identity.
It order to be able to sign, you need a key (a pair of a private key and public key). You may easily generate any number of keys yourself, using a program like OpenSSL. Afterwards, you need to associate the public key with your identity (your company name, for example). This is done by obtaining a certificate from a Certification Authority (CA). The CA verifies your identity (by calling you on the phone, or by having you fax them some official documents declaring your identity), and afterwards gives you a certificate, which says that the given public key belongs to you.