Ways Of Using Digital Signatures In Cybersecurity
Digital signatures in cybersecurity are mathematical technique used to provide authenticity, integrity, and nonrepudiation. Digital signatures have specific properties that enable entity authentication and data integrity. In addition, digital signatures provide nonrepudiation of the transaction. In other words, the digital signature serves as legal proof that the data exchange did take place. Digital signatures use asymmetric cryptography.
The signature cannot be forged and provides proof that the signer, and no one else, signed the document.
Digital signatures are commonly used in the following two situations:
- Code signing – This is used for data integrity and authentication purposes. Code signing is used to verify the integrity of executable files downloaded from a vendor website. It also uses signed digital certificates to authenticate and verify the identity of the site that is the source of the files.
- Digital certificates – These are similar to a virtual ID card and used to authenticate the identity of the system with a vendor website and establish an encrypted connection to exchange confidential data.
There are three Digital Signature Standard (DSS) algorithms that are used for generating and verifying digital signatures:
- Digital Signature Algorithm (DSA) – DSA is the original standard for generating public and private key pairs, and for generating and verifying digital signatures.
- Rivest-Shamir Adelman Algorithm (RSA) – RSA is an asymmetric algorithm that is commonly used for generating and verifying digital signatures.
- Elliptic Curve Digital Signature Algorithm (ECDSA) – ECDSA is a newer variant of DSA and provides digital signature authentication and non-repudiation with the added benefits of computational efficiency, small signature sizes, and minimal bandwidth.
In the 1990s, RSE Security Inc. started to publish public-key cryptography standards (PKCS). There were 15 PKCS, although 1 has been withdrawn as of the time of this writing. RSE published these standards because they had the patents to the standards and wished to promote them. PKCS are not industry standards, but are well recognized in the security industry and have recently begun to become relevant to standards organizations such as the IETF and PKIX working group.
Digital Signatures for Code Signing
Digital signatures are commonly used to provide assurance of the authenticity and integrity of software code. Executable files are wrapped in a digitally signed envelope, which allows the end-user to verify the signature before installing the software.
Digitally signing code provides several assurances about the code:
- The code is authentic and is actually sourced by the publisher.
- The code has not been modified since it left the software publisher.
- The publisher undeniably published the code. This provides nonrepudiation of the act of publishing.
The US Government Federal Information Processing Standard (FIPS) Publication 140-3, specifies that software available for download on the internet is to be digitally signed and verified. The purpose of digitally signed software is to ensure that the software has not been tampered with and that it originated from the trusted source as claimed. Digital signatures serve as verification that the code has not been tampered with by threat actors and malicious code has not been inserted into the file by a third party.
Click the buttons to access the properties of a file that has a digitally signed certificate.
This executable file was downloaded from the internet. The file contains a software tool from Cisco Systems.
Digital Signatures for Digital Certificates
A digital certificate is equivalent to an electronic passport. It enables users, hosts, and organizations to securely exchange information over the Internet. Specifically, a digital certificate is used to authenticate and verify that a user who is sending a message is who they claim to be. Digital certificates can also be used to provide confidentiality for the receiver with the means to encrypt a reply.
Digital certificates are similar to physical certificates. For example, the paper-based Cisco Certified Network Associate Security (CCNA-S) certificate in the figure identifies who the certificate is issued to, who authorized the certificate, and for how long the certificate is valid. Digital certificates also provide similar information.
The digital certificate independently verifies an identity. Digital signatures are used to verify that an artefact, such as a file or message, is sent from the verified individual. In other words, a certificate verifies identity, a signature verifies that something comes from that identity.
This scenario will help you understand how a digital signature is used. Bob is confirming an order with Alice. Alice is ordering from Bob’s website. Alice has connected with Bob’s website, and after the certificate has been verified, Bob’s certificate is stored on Alice’s website. The certificate contains Bob’s public key. The public key is used to verify Bob’s digital signature.
The figure shows the bob computer with a textbox that reads confirm the order and the word data above it. An arrow extends to another textbox that reads 1c34d56… An arrow leads to another textbox that reads 0a77b3440… and the words encrypt beside the arrow with a picture of a key labelled bob private key. A third arrow goes from the 0a textbox to a cloud that has the words signed data in it and a box that says confirm order signature 0a77b3440… Words at the bottom: Bob confirms the order and his computer creates a hash of the confirmation. The computer encrypts the hash with Bob’s private key. The encrypted hash, which is the digital signature, is appended to the document. The order confirmation is then sent to Alice over the internet signed.
I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.
Download Our App.
CEHNigeria On Google Playstore
Download Our Blog App On Google Playstore.
GET SEOPOZ. OUTSMART YOUR BLOG COMPETITORS
Have a deeper understanding of Google Search Console. Joint SEOPOZ for free.
Join Our Whatsapp Group Here
Join Our Whatsapp Group
Follow Us On Twitter and I will Follow Back
Follow Us On Twitter
Kindly follow me on Twitter and I promise I will follow back. Aside you will get updated when we post new articles.