Professional Documents
Culture Documents
This document seeks to provide a brief introduction to digital signatures, in particular using public key encryption. This is by no means an in-depth analysis of different digital signature systems.
a private key, which only you use (and of course protect with a wellchosen, carefully protected passphrase); and a public key, which other people use. Public keys are often stored on public key servers.
A document that is encrypted with one of these keys can be decrypted only with the other key in the pair. For example, let's say that Alice wants to send a message to Bob using PGP (a popular public key encryption system). She encrypts the message with Bob's public key and sends it using her favorite email program. Once the message is encrypted with Bob's public key, only Bob can decrypt the message using his private key. Even major governments using supercomputers would have to work for a very long time to decrypt this message without the private key.
What if I need to verify a signature from someone I don't know, or be sure that the key is really theirs?
That's where digital certificates and certificate authorities come in. Let's start with how it works in PGP. Say that someone claiming to be Bob's acquaintance Carol sends a message to Alice. How does Alice know that Carol is who she claims to be? Carol signed the message with her own private key,
which has been digitally signed by Bob (essentially saying, "I trust that this key is valid and hope that you will, too"). Because Alice knows and trusts Bob's key (and therefore his signature), Alice can trust that Carol's key is valid so the person claiming to be Carol almost certainly really is Carol. Furthermore, once Alice trusts Carol's key, she can sign it. Then someone who has and trusts Alice's key will be able to trust Carol's. This builds a web of trust among PGP users. However, this informal web of trust may not be rigorous enough for business or goverment purposes. For these cases, third-party entities known as certificate authorities validate identities and issue certificates. These certificates, signed with the CAs' well-known and trusted keys, can be used to verify someone's identity.