A digital signature is used in transmitting documents or information to authenticate the data in these documents. It is similar to an authorized signature or a seal of personnel on confidential documents but is included digitally.
Digital signatures are used to make sure that unauthorized people have not accessed electronic documents and, furthermore, have been modified by them. They ensure that the documents are verified and authenticated and that the integrity of the message is protected when transmitting over an open network(the Internet).
In this article, we will learn about digital signatures and how to sign and verify them.
Before that, please check out this easy introduction to cryptography
What Is a Digital Signature?
Consider a scenario where a country or a state needs to send very confidential data to another country. Now to send this data safely, the sending country should enclose the document with its unique seal. This seal is used as a verification for the receiving country to ensure that it is coming from the expected country. The seal is used as an authenticator for the receiving country and also ensures integrity.
In the same way, while you are sending documents or messages over a channel say the Internet, digital signatures are used to authenticate the sender to the receiver and also make sure that the document is not accessed by unauthorized people and is not modified in any form.
Digital signatures use the concepts of cryptography. It is based on asymmetric key cryptography.
Asymmetric key cryptography uses two keys to carry out the encryption and decryption of data. To put it simply, asymmetric key cryptography, also known as public key cryptography, uses a key pair that is mathematically related. The keys are called public keys and private keys. We can understand from their names that the public key is known to both parties, and the private key is only known to the owner(sender or receiver).
Since public key cryptography is followed in a digital signature scheme, where one key is kept secret, and a digital signature is proven to be a secure way to authenticate confidential data or documents.
It is mainly used to sign electronic documents, financial transactions, and so on.
Related: Visit this article to know more about the RSA algorithm
Coming back to digital signatures, the owner of the digital signature uses his private key to encrypt the signature. To verify the signature, the recipient has to use the signer’s public key.
If the recipient can decrypt the signature with the public key, the sender is authenticated, which means the sender indeed signed the data. If the recipient cannot decrypt the data with the key, it means that either the message is tampered with or the sender is not what he claims to be.
Let us see how to implement digital signatures in Python.
Digital Signature With Ecdsa
ECDSA stands for Elliptic Curve Digital Signature Algorithm. It is based on Elliptic Curve Cryptography(ECC). It is also based on public key cryptography.
It makes use of elliptic curves to generate keys, and this method is found to be susceptible to many attacks.
We are going to use ecdsa to create and verify the digital signatures.
This process has the following steps.
- Key Generation: Both sender and receiver generate an elliptic curve key pair which has a private key and a public key. The details about the curve and, as usual, the public key are known to both the parties
- Signature Generation: The sender generates a digital signature by using an algorithm and his private key
- Signature Verification: Since the digital signature is unique to the message, when the receiver applies an algorithm and the public key of the owner, he should be able to verify the signature. If the signature is the same as that of the one used by the owner, authentication and integrity are achieved
Luckily, Python has a library that supports these operations, and we just need to install it. Install the ecdsa library with the following command.
pip install ecdsa
Let us see the code to implement digital signatures.
1. Key Generation
The first step is to generate the public and private keys using the elliptic curve.
import ecdsa
import hashlib
priv_key = ecdsa.SigningKey.generate(curve=ecdsa.SECP256k1)
public_key = priv_key.get_verifying_key()
In the first two lines, we are importing the ecdsa library we just installed and the hashlib library.
The private key is generated by the SigningKey function of the library. The elliptic curve we are using is the SECP256k1, which is the secure curve and is used by BitCoin to implement digital signatures.
The public key is generated from the private key itself using some mathematical functions.
2. Signature Generation
Given a message, we need to create a hash value for it using any hash algorithm. The generated hash is used to create a digital signature.
message_hash = hashlib.sha256(message).digest()
signature = priv_key.sign(message_hash)
print("The signature is:\n",signature)
The message hash is created using the SHA-256 algorithm. This hash is used to create a digital signature using the private key of the owner. While displaying the signature is not advisable for security purposes, the signature is shown here.
3. Signature Verification
The signature verification is done as follows.
try:
public_key.verify(signature, message_hash)
print("Signature verified: True")
except ecdsa.BadSignatureError:
print("Signature verified: False")
The verification process is done using the public key of the owner. If the signature is matched, True is printed. Else, False is printed.
The complete code and output are given below.
import ecdsa
import hashlib
priv_key = ecdsa.SigningKey.generate(curve=ecdsa.SECP256k1)
public_key = priv_key.get_verifying_key()
message = b"HelloWorld!"
message_hash = hashlib.sha256(message).digest()
signature = priv_key.sign(message_hash)
print("The signature is:\n",signature)
try:
public_key.verify(signature, message_hash)
print("Signature verified: True")
except ecdsa.BadSignatureError:
print("Signature verified: False")
Applications of Digital Signatures
Financial Transactions: Digital signatures play a crucial role in secure financial transactions. They are used in online banking, e-commerce, and digital payment systems to authenticate and authorize transactions, ensuring that they cannot be tampered with or repudiated.
Contracts and Agreements: Digital signatures provide a secure way to sign documents electronically.
Email Security: Digital signatures can be used to secure email communication. By signing outgoing emails, the sender can assure the recipient that the message has not been altered during transit and that it originated from the claimed sender.
Conclusion
A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software, or digital document. It uses asymmetric key cryptography, which makes it more secure. The owner of the digital signature uses his private key to encrypt the signature. To verify the signature, the recipient has to use the signer’s public key.
In this article, we used ecdsa to implement a digital signature and verify it. It involves three steps- Key Generation, Signature Creation, and verification.
We have seen the code and its detailed explanation. We have seen a few applications of Digital Signatures like email security, financial transactions, and agreements.
References
To know more about the ecdsa library refer to the official documentation.