This advice has been collated by EMSOU and is intended for wider distribution within the East Midlands Region to raise awareness among businesses and the public. Advice and information is changing daily as we navigate our way through the COVID- 19 pandemic, so please ensure you only take information from reputable sources. If you require any further information, assistance or guidance please contact the EMSOU Protect Team EMSOU Protect Team or your local Force protect team. Today’s topic is: Digital Signatures In the Middle Ages, when illiteracy was rife, wax seals were commonly used for things we would use a signature for today, such as authenticating a will or contract. The symbol or crest on an individual seal guaranteed the identity, integrity and acknowledgement of the contents. Some medieval clergymen are reported to have plucked out their own beard hair and added it to the melted wax, to show that the seal was truly from them.
Today, we authenticate the sender and content of a digital transmission by signing it.
A digital signature is totally unique to a person or an organisation and can demonstrate that the message has not been tampered with.
Why use a digital signature? Digital signatures increase the transparency of online interactions and develop trust between customers, business partners and vendors.
How do they work?
To understand how a digital signature works and why they should be used, we first need to understand “hashing” and how it guarantees the content has not been changed.
Hashing: Take any digital content (pictures, files, folders, software, email) and run it though a mathematical algorithm to produce a unique string of characters. This is the “hash”. Even the slightest change to the content would produce a radically different “hash”.
If the recipient uses the same algorithm but gets a different “hash”, then the message has been tampered with in transit and has no integrity.
To authenticate the sender of a message, public key cryptography is used.
Public key cryptography: When encrypting or decrypting, we use a different type of mathematical algorithm. We call this algorithm the ‘key’. In public key cryptography, the sender will have two keys.
One key is called the ‘private key’ and encrypts data. It is known only to the sender and can only be used by them.
The other key is called the ‘public key’ and decrypts the data. This public key can be used by anyone and decrypting the data validates the sender.
Finally, we have the Certificate Authority (CA). This is a trusted third party that validates a person or organisation’s identity and either generates a public/private key pair on their behalf or lets them use the ones they have made. They issue a digital certificate which confirms the identity of the holder as well as their keys.
Putting it all together:
1. The sender takes a file/message, picture, etc. and applies an algorithm to produce a “hash”.
2. The sender encrypts the “hash” with the “private key”. Creating the digital signature.
3. The original message is sent to the recipient, with the digital signature.
4. To check that the message has not be tampered with, the recipient will use the “public key” to decrypt the signature leaving them with the “hash”.
5. They will then generate their own “hash” of the original message that was sent.
6. Finally, they compare the “hash” they have made against the sender’s decrypted “hash”.
7. If they match, the message has not been modified.
The power of the computer takes care of all of this, without us having to think about it.
Comparing the hash provides integrity, and as no other key could have decrypted the hash other than sender’s public key, this proves the authenticity of the sender, which is confirmed by the certificate authority.
The Bottom Line
Through the use of trusted third parties, digital signatures can be used to verify the identity of individuals and organisations and ensure the integrity of communications.
As paperless, online interactions become more widely used, digital signatures can help secure and safeguard the integrity of important data. By understanding and using digital signatures, organisations can better protect information, documents, and transactions.
Please report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online.
Forward suspicious emails to firstname.lastname@example.org.
Report SMS scams by forwarding the message to 7726 (spells SPAM on the keypad).