Digital signature are in many ways analogous to physical signatures. Digital signature provide a way to authenticate documents and other types of data like images, emails or other types of files. When a sender sends data through a document, it becomes important to identify the sender’s authenticity for security and safety reasons. Digital signature are used for this identification.
Digital signature allow you to authenticate a document, proving that it hasn’t been altered in transit. It means you know who is the sender and the data you received is exactly what the sender sent. When a message or data is signed with Digital signature, some malicious person can’t clip out a digital signature, modify the original document and attach an old signature to the result(data). He even can’t generate a new signature and claim that the document came from its original sender.
Digital signature work on the public key cryptography architecture. As per the asymmetric algorithm an asymmetric key system encrypts using a public key and decrypts with a private key. For Digital signature the reverse is true. If the sender encrypts something with his/her private key, anyone can use my public key to read the message. Sounds like there is no use of this system, but here we are not trying to keep the message secret, we are trying to prove that a specific person(me) could have sent the message. No one has my private key so no one else can send a message that can be decrypted with my public key. Therefore, only the real sender could have sent the message.
Digital signature is not any kind of data encryption but it has many more advantages over data encryption. Encryption of a large message or documents with complex algorithms takes a long time, even with fast computers. And some asymmetric algorithms just aren’t suitable for encrypting large amounts of data for other reasons as well. With Digital signature we don’t usually encrypt the entire message.
We use a standard algorithm to create a “hash” or “message digest” to produce the signature, then encrypt the message digest(relatively smaller in size) with the private key. The result of the encryption is our Digital signature. The recipient(receiver) can then decrypt the signature with the public key and check whether the resulting message digest matches the message he received. If yes, then the message hasn’t been altered and the sender is who he claims to be.
Note : The main thing to note here is that message digest(hash) is a fixed length string of numbers and letters generated from a mathematical algorithm and an arbitrarily sized file such as email, image, documents, etc. This generated string(result) is unique to the file being hashed and is a one-way function. Computed hash can’t be reversed to find other files that may generate the same hash value. This hash value will be very small in terms of size. Some hashing algorithms like SHA-1, SHA-256, MD-5.
Another advantage over here is we don’t even have to make sure that the communication by which we received the data is secure or not. We simply check the signature after data arrives, if the signature matches then the data is the actual one which is sent by the author.
Let’s see now how we can create and verify Digital signature for specific data in java. Before moving further just take a note that KeyPairGenerator, KeyPair, PrivateKey, PublicKey, Signature class is part of java.security package. So please make sure to import the package to start working on.
- Create a KeyPairGenerator object which will generate public and private keys
//DSA is algorithm to generate public/private keys, can be used anyone as per choice
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance(“DSA”);
- Initialize the KeyPairGenerator object
//2048 is int parameter mentioning size of key
- Generate the KeyPair object which will give us public and private keys
//generateKeyPair method will generate keys
KeyPair pair = keyPairGen.generateKeyPair();
- Get public and private keys from the pair object. Public key will be required at the time of verification
//Taking the private key from the key pair
PrivateKey privKey = pair.getPrivate();
//Taking the public key from the key pair
PublicKey pubKey = pair.getPublic();
- For creating signature we have Signature class in java so lets create object of signature class
//SHA256withDSA is algorithm to to create signature, can be used other as well as per choice
Signature sign = Signature.getInstance(“SHA256withDSA”);
- Now initialize signature object which required private key to pass for encryption
//Initialize the signature with private key for hash encryption
- Our signature object is ready now, as soon as we pass data to it, data will be hash with specific algorithm and encrypt with given private key
//bytes will be byte array of our data, it can be document or any other file
byte bytes = “42Gears Tech blog”.getBytes();
//Adding data to the signature for which we need Digital signature
- At this final step we will generate signature to pass to network with plain data
//here signature will return byte array which will be encrypted string with private key. Basically the result will be encrypted hash of our plain data
byte signature = sign.sign();
- We have generated signature which we will pass to network from step 8, for information purpose we will do step 6 and 7 again to initialize signature object with public key to verify the signature
//Initialize the signature with public key for hash decryption
//bytes is byte array of plain text
- We have initialize signature with public key in step 9 so we will involve verify method of signature class to verify if signature is matching or not
//here we are passing byte array of generated signature which we did in step 8. Verify method will return boolean value true false which will give us result that signature is matching or not
If step 10 is returning true then our data that we send is not altered while transmitting and sent from the authorized sender only.
As you see while verification of signature we are again passing plain data to the signature object. It means that we are not encrypting any data and verifying data but we are just making sure that the actual message is the correct one and not altered during transmission. This is very beneficial in case of Government sectors, Healthcare, Financial services, crypto currencies, etc.