Digital signatures and digital certificates
To understand the logic and functioning of digital signatures in blockchain, you first need to understand the public and private key concepts of asymmetric cryptography. To read about it, click here.
Before beginning, allow me to dispel a myth.
Contrary to popular belief, a digital certificate is NOT a scanned copy of any document.
The electronic document used to demonstrate public key ownership is known as a digital certificate.
Similarly, a digital signature is not a scanned picture of a manual signature.
An electronic signature known as a digital signature uses a mathematical formula to verify the reliability and integrity of messages on a routine basis (for example in a credit card transaction, or a digital document)
Basically, Users can be identified and information in digital messages or documents can be protected using digital signatures, which produce a virtual fingerprint that is specific to a person or entity.
Let’s now examine digital signatures and certificates in detail, but first, it’s important to understand why they are necessary. why is it necessary?
We require it mostly for electronic verification. It is important to confirm if communication is indeed coming from an authorized source or not because, in many circumstances, hackers utilizing man-in-the-middle attacks may have modified or altered the message. Therefore, the idea of a digital signature makes it possible to confirm who sent a message or who issued a document in the first place.
In blockchain transactions, there are a lot of identity risks, so to avoid them, a digital signature and public-private key concept are introduced, so as to provide authentication. Digital signatures foster trust among customers, business partners, and vendors by increasing the transparency of online transactions.
How does it work?
The above picture might confuse you, so like always, let’s try to understand its functioning with some of its real-life applications.
Suppose you want to build an office for yourself. For that, you contacted an architectural firm. Before signing the contract, you want to confirm the legitimacy and experience of the firm. To enforce their credibility, they give a digital certificate to you. After verifying that digital certificate, you gladly offer them the contract.
But wait!
How come you are so sure that the digital certificate is immune to any kind of alteration and malpractice? It could have been edited! Isn’t it?
But no, digital certificates are issued only to seek credibility.
But how?
Let's go to the internal operations and execution of its verification algorithm, and lets check how it validates any information.
Well, for an architectural firm to give proof of its authenticity, they have a government-issued document that contains information about the owner, the degree they possess, work experience, general ratings, etc. This is a digital certificate.
Now all this information will be converted into the hash code. After that, the government institution which is issuing this certificate encrypts that hash code using their private key. This private key is unique for that institution and plays a vital role in crosschecking the certificate.
This process of encrypting the hash code of any certificate data or important data using a private key by any organization is called a digital signature or signing any certificate digitally.
In this way, that document is digitally signed by the institution. And hence it became a digital certificate!
Now, this issued digital certificate has three things contained in it.
- Unencrypted plain data (details like name of firm, ratings, experience, owner, etc.)
- Hash code of data in the document along with the name of the hash function used like md5, SHA, etc.
- Encrypted data of that Hash code which was encrypted using the issuer’s private key.
Now for us to crosscheck the certificate, we will pass the details of plain unencrypted data, mentioned above through the mentioned hash function, and will check, if it matches the hash code of data in the certificate or not.
If it matches, the first step of verification is done.
As the government institution keeps its private key a secret but its public key will be known to everyone, so, in the next step of verification, we will use encrypted data of that Hash code of the digital certificate and will decrypt it using the public key of the government institution. After doing this decryption they will check if the output of this decryption matches to Hash code of data in the document or not. If it matches, then it is verified that it was really issued by the authority, and was not modified by anybody else.
Now, you can understand, what happens if they modify any of these above components in the digital certificate.
Now to modify the details of the encrypted data of that Hash code, they need the private key of issuing authority, WHICH THEY DON’T HAVE.
ONLY ISSUING AUTHORITY( government institution) WILL HAVE ITS PRIVATE KEY AS A SECRET. so, they cannot modify the encrypted data of that Hash code. If they attempt to modify it, they would not know what to write there. They couldn’t know what would be the output after encrypting the modified hash code with the private key of that organization, because they don’t have the private key!
In this way verification takes place.
Is an electronic signature (e-signature) the same as a digital signature?
Different types of electronic signatures fall under the umbrella term “electronic signature.” Digital signatures are a type of electronic signature that is implemented specifically using encryption.
In conclusion, all e-signatures are digital signatures, but not all digital signatures are e-signatures.
