4.4 Digital Signatures

When describing some of the applications of hashing above, one example was the process of digitally signing a document. Careful examination would reveal that there must be more to the process than just using a hash algorithm on a document. Using just a hash would provide the same value for anyone. You or I or the guy sitting next to you on the bus could all run a hash algorithm on a copy of this book and create the same value. That is the point of the hash. The three of us could quickly establish that we have all received the exact same copy of this book.

Another example will further explain this. You and I have negotiated a contract via e-mail. We both have two primary goals. The first is that we have actually agreed upon the same contract. That is no problem; we have hash values to do this for us. The second issue, however, is more complicated. Because you and I have never met each other face to face, you do not know if you have actually agreed to the contract with Cliff Riggs (me) or someone claiming to be me. When I do not hold up my end of the bargain, you come looking for me. I naturally say that I have never seen that contract before in my life and because this is all digital documentation, you must have made up the whole thing. Whether I have actually reneged on the contract or someone else had been negotiating in my place is immaterial.

You are naturally feeling wary about future dealings over the Internet and thus start to think of a solution to this problem. Being of above-average intelligence, you quickly realize that we can take existing cryptographic technologies and solve this problem. What do we use to make sure the data has not changed? Hash values. What technology do we have that could prove that someone is who they say they are? Certificates and public key encryption. In future negotiations, you could require me to run a hash value against the contract, then sign the hash value with my private key. You could then use my public key as verified by a certificate authority that not only has the document not changed, but that I have reviewed the document myself. You have established something important to cryptography. You have established non-repudiation. I cannot easily deny that I have not seen the document. After all, the entire point of the private key is that I am the only one who knows of it. This combination of technologies used to digitally sign documents is known as a digital signature.