Search code examples
certificatesigning

Signature with certificate

I'm trying to understand how it is working the signature of the file with a certificate.

I already understood how it's working for a 'basic' signature of file:

  • Bob wants to send to Alice "I'm signed"
  • Bob hashes "I'm signed", return "ABCDEF"
  • Bob encrypts the hash with his private key, return "101010"
  • Bob sends the encrypted part "101010" to Alice and the message "I'm signed"
  • Alice hashes the file, return "ABCDEF"
  • Alice decrypts the encrypted part "101010" with the public key of Bob, return "ABCDEF"
  • Alice makes match the two value that means that the message is really coming from Bob

I discussed today with someone working for a company that is dealing with authentification products, token, app for phone, cards etc..

The point is, the company is delivering two kinds of certificates with more or less strong value (depending on how much they succeed to identify the user above the process).

And as explained to me in a really blur way, "each user needs a certificate to allow him to sign his documents", "we encrypt with public key" (i think this point was probably not true), "the certificate contains the public key".

I tried to reach the point with looking to scheme: wikipedia scheme

But I'm ever more lost.

I think Digital Signature is to manage with the first method that I described above and an Electronic signature is the fact to add the certificate to the process.

But how? Is someone could describe the steps, please?

Solution

  • we encrypt with public key

    It is true, as it is called asymmetric encryption. Everybody (might) have the public key and therefore can encrypt messages send to the one holding the private key.

    What probably confuses you is the mixed up thing: Signature and Encryption

    • Bob wants to send to Alice "I'm signed"
    • Bob hashes "I'm signed"
    • Bob needs a certificate for the next steps
      • Bob generates a private key and a public key
      • Bob generates a certificate request containing the public key and signs it with the private key
      • Bob submits the request to CA
      • The CA issues a certificate (signs Bob's public key with the CA private key)
    • Bob signs the hash with his private key
    • Bob needs Alice's certificate for the next steps
      • Bob asks Alice for her public key (certificate)
      • Alice generates a private key and a public key
      • Alice generates a certificate request containing the public key and signs it with the private key
      • Alice submits the request to CA
      • The CA issues a certificate (signs Alice's public key with the CA private key)
      • Alice sends Bob her public key (certificate)
    • Bob encrypts the message, hash and signature with Alice's public key"
    • Bob sends the encrypted data to Alice
    • Alice decrypts the data with her private key
    • Alice hashes "I'm signed" and validates the signature with Bobs public key

    The key point is

    • Alice is the only one who is able to read the message as she is the only one holding the private key to encrypt the data.
    • Alice can be sure that the message is from Bob as he is the only one holding the key that produces the signature.