Digital Signatures | Secure Messaging with MicrosoftВ® Exchange Server 2003 (Pro-Other)

Digital signatures are becoming increasingly common because they offer a high degree of protection for certain types of transactions and documents. These protections are based on three capabilities that signatures provide:

Signatures allow users to verify whether a block of data has been changed since it was signed Even a small change in the input data results in an invalid signature, making signatures a great tool for protecting documents and messages against tampering.
Signatures allow identity verification The signer has to use his or her private key, which is associated with the public key contained in a certificate, to sign the message. Anyone who receives the signed message can use that public key to verify that the signer s private key was indeed used to sign the message. In addition, the CA s signature on the certificate can be validated , as can signatures on the certificates of superior CAs in the certificate chain.
Signatures provide nonrepudiation In legal terms, repudiation occurs when someone tries to refuse , or fails to acknowledge , a legitimate debt or contract. With conventional paper signatures, it s always possible to attempt to repudiate a contract by claiming fraud. It is much harder to do so with digital signatures because a signed document establishes that the key holder signed the document at a particular date and time ( assuming , of course, that the key holder was careful with his passphrase or PIN).

In the messaging world, signatures can be used to prove who originated a message and whether or not it was modified. Because of the way messages are signed, this protection also extends to attachments as long as they re part of a mail message. Microsoft Office System (along with Office XP) and third-party products like PGP also allow digital signatures on individual documents, which adds extra protection by allowing the document to stay signed even after it s extracted from a mail message.

How Digital Signatures Work

Digital signatures properties come about because of the nature of signature algorithms. It s more proper to refer to these algorithms as hash algorithms because they implement a technique known to computer scientists as hashing. A hash algorithm takes an arbitrarily large block of data and computes a unique fixed-length fingerprint , or message digest . This value represents the data block s contents such that if the data block is changed, rehashing it produces a different digest. Small changes in the input data should result in large changes in the digest.

Hash algorithms have another useful characteristic, too: they aren t reversible. Given a message A and a hash H, it s not feasible to reverse the hash and construct another message B that has the same message digest. This is important because you don t want an attacker to be able to replace a signed message s content with a different message without invalidating the signature; in addition, hashing operating system passwords and storing the hash value (as Windows does) protects against some types of attacks that involve stealing the stored password data.

Figure 2-4 shows how the signature process typically works. The end result is a signed message with content that is still readable apart from the signature (a clear- signed message).

Figure 2-4: The digital signature process.

Here s what happens:

The sender composes a plaintext message. Of course, this plaintext could be anything from a piece of executable code to a musical score to a Microsoft Excel spreadsheet; for simplicity, you can think of it as an ordinary text block.
The message digest is generated by breaking the plaintext message into chunks (the size of which depends on the hash algorithm being used) and feeding those chunks to the hash algorithm. Each chunk is processed separately, but the signature algorithm doesn t produce its final result until the last chunk is processed .
The program doing the signing acquires the user s private key. Because the private key is protected by a password or passphrase, this step requires that the user enter credentials. If the private key is stored in a smart card or hardware token, the signing application cannot get a copy of the key; instead, it has to pass the data to be signed to the hardware so that the signature can proceed without exposing the key.
The message digest is encrypted with the sender s private key. The resulting encrypted message digest is the actual signature. Anyone who has the sender s public key can verify the signature by reversing the signature process: rehashing the original plaintext, decrypting the signature, and checking to see whether the signature and the newly computed message digest match.
The signature and original plaintext are combined. In some protocols, the sender s certificate (and possibly certificates of the issuing CA and its superiors) might be included; this makes it easier for a client who doesn t already have the sender s certificate to verify the signature.

Any changes to the message plaintext can be detected when the signature is checked, because the modified message s message digest won t match the original. Recipients can verify who sent the message by verifying that the sender s certificate contains a public key that can successfully decrypt the signature ”if you use the wrong key, the digest value will be wrong and the signature will be invalid.

Signatures and the Law

If digital signatures are so great, why aren t we using them instead of paper signatures? The biggest reason is simple: digital signatures aren t legally accepted as signatures everywhere. Without going into the long history of how we got to this point, suffice it to say that almost every country recognizes the concept of making a mark on a piece of paper as indicating the intent to sign it. However, the same isn t true for digital signatures, which has dramatically limited their use ”if you digitally sign a document in Utah, but that signature isn t recognized as legally binding in New Jersey, what good is it?

Various state legislatures have attempted to address this problem, as has the U.S. Congress. In general, enforcement of signed contracts requires that the parties signing the contract meant to sign it, so most of the actual or proposed laws extend this idea to digital signatures. However, there s still a lot of difference between the legal value of digital signatures in different jurisdictions in the United States; the picture for admissibility of signatures in other countries is even more uncertain . If you re planning on using digital signatures as part of a process that involves actual contracts with other companies or organizations, make sure you get competent legal advice to ensure that your signatures mean what you think they will in all the places you might want to use them.

Digital Signature Algorithms

Hash algorithms are relatively straightforward; they take in variable amounts of data and produce a unique fixed-length value that can be used as a message digest. These algorithms tend to be very fast when compared to secret- or public-key encryption systems because the calculations they perform are much simpler. It turns out that for an application like using SSL to secure Web transactions, most of the time needed for a signature operation is taken up by encrypting the message digest, not generating it in the first place.

The Secure Hash Algorithm

The Secure Hash Algorithm (SHA) was developed by the NIST and released as part of the Secure Hash Standard in 1993. In 1994, SHA was revised and became known as SHA-1; it s officially described in FIPS 180-1 ( http://csrc.nist.gov/cryptval/shs.html ). SHA-1 is the only hash algorithm approved for use in systems that are required to meet the cryptographic security standards in FIPS 140, the federal seal of approval for cryptographic implementations .

The algorithm produces a 160-bit message digest; this is sufficient for current applications, but NIST is now in the process of specifying SHA replacements that offer 256-, 384-, and 512-bit message digests so that AES with a 256-bit key will have an adequately strong accompanying hash function.

The MD5 Algorithm

The Message Digest-5 (MD5) algorithm is widely used because RSA Laboratories, its creator, made it widely available as an Internet RFC, RFC 1321 (see http://www.ietf.org/rfc/rfc1321.txt ). MD5 is the successor to the MD2 and MD4 algorithms, both of which have been found to contain serious weaknesses.

MD5 produces a 128-bit message digest, and it s somewhat faster than SHA-1 because it s less complex. MD5 is still widely used and it is robust enough for most applications, but it is being supplanted by SHA-1 because its smaller digest size provides less security than SHA-1.

The Digital Signature Algorithm

You might be wondering why there s a public-key algorithm listed here. Conventional public-key systems provide both encryption and digital signature capability. In the early 1990s, the U.S. government wanted to develop a system that would provide only signature and signature-verification capability. There are many applications that require verification, tamper-proofing, and nonrepudiation, but not confidentiality, so NIST developed the Digital Signature Standard (DSS). The DSS specification, FIPS 186-2, describes DSS in great detail. Interestingly, DSS allows the use of three separate signature algorithms: RSA, the elliptic-curve digital signature algorithm (ECDSA), and the Digital Signature Algorithm (DSA). The DSA actually computes a hash of the message using SHA-1, then encrypts the signature using a process analogous to the RSA algorithm. However, DSA can t be used for encryption, which met the design requirements for a confidentiality-free public-key system.