A digest of a
file is a short sequence produced by processing every byte in a file using a
hashing algorithm like SHA1 or MD5. It is very unlikely that two different files
will produce the same digest. A digest acts as a file or document "fingerprint"
Asymmetric keys consist of a matched private key and a public
The mathematics of asymmetric keys provides for an infinite number of possible key pairs. Public Key Infrastucture delegates the issue of keys to a trusted third party called a Certificate Authority (CA). The CA issues a certicate to a named user and, if the user may be trusted to have kept the private key secret, it is possible to use a encrypted digest of a file as evidence of authenticity.
- If you encrypt plaintext with a private
key you can only decrypt back to the same plaintext using
the corresponding public key.
- If you encrypt with a public
key you can only decrypt with the
corresponding private key. The maths work both ways
around - but the keys don't!
SHA1(ALL BYTES IN FILE)→DIGEST
A digital signature
way of proving that a data file was created or approved by the originator
and has not been changed.
ENCRYPT(DIGEST, PRIVATE KEY)
To sign a
- Make a digest of the file.
- Encrypt the digest with a private key.
- Record the result as a digital signature and publish with the file and the public
DECRYPT(SIGNATURE, PUBLIC KEY)
a file signature is valid
- Make a digest of same
- Decrypt the supplied digital signature
using the public key.
- Compare the digest with the decrypted
- A certificate is used to
prove that a signature was created by a trusted originator. It
contains the originators contact details, subject and issuer information and a
copy of the public key. To prevent forgery the file containing the certificate
is itself signed by the issuer of the
certificate. This is usually a Certificate Authority that
has verified the owner of the private keys credentials.
- Verify that the signature is valid
- Locate the certificate containing the
- Check that the signature of the
certificate is valid.
- Check that the certificate has not
been revoked by the issuer.
- Check that the certificate was "in
date" when the file was signed.
- Chain through respective issuers until
a certificate is found that has been placed in a trusted certificate