APPLICATIONS SUCH AS banking, stock ments. Validation refers to the process of use some information that is unique to trading, and the sale and purchase of mer- certifying the contents of the document, the sender to prevent both forgery and chandise are increasingly emphasizing while authentication refers to the process denial; it must be relatively easy to pro- electronic transactions to minimize opera- of certifying the sender of the document. duce; it must be relatively easy to recog- tional costs and provide enhanced ser- In this article, the terms document and nize and verify the authenticity of digital vices. This has led to phenomenal increas- message are used interchangeably. signature; it must be computationally infeasible to forge a digital signa- ture either by constructing a new message for an existing digital sig- nature or constructing a fraudulent digital signature for a given mes- sage; and it must be practical to ret- copies of the digital signatures in storage for arbitrating possible dis- putes later. To verify that the received docu- ment is indeed from the claimed sender and that the contents have not been altered, several proce- dures, called authentication tech- niques, have been developed. However, message authentication techniques cannot be directly used Digital signatures as digital signatures due to inade- quacies of authentication tech- niques. For example, although mes- sage authentication protects the two parties exchanging messages from a S.R. SUBRAMANYA AND BYUNG K. YI third party, it does not protect the two parties against each other. In addition, elementary authentication schemes produce signatures that are as long as the message themselves. Basic notions and terminology Digital signatures are computed ©DIGITALVISION, STOCKBYTE, COMSTOCK based on the documents (message/ information) that need to be signed and on some private information es in the amounts of electronic documents Conventional and held only by the sender. In practice, that are generated, processed, and stored digital signature characteristics instead of using the whole message, a in computers and transmitted over net- A conventional signature has the fol- hash function is applied to the message works. This electronic information han- lowing salient characteristics: relative ease to obtain the message digest. A hash dled in these applications is valuable and of establishing that the signature is authen- function, in this context, takes an arbi- sensitive and must be protected against tic, the difficulty of forging a signature, the trary-sized message as input and pro- tampering by malicious third parties (who nontransferability of the signature, the dif- duces a fixed-size message digest as out- are neither the senders nor the recipients ficulty of altering the signature, and the put. Among the commonly used hash of the information). Sometimes, there is a nonrepudiation of signature to ensure functions in practice are MD-5 (message need to prevent the information or items that the signer cannot later deny signing. digest 5) and SHA (secure hash algo- related to it (such as date/time it was cre- A digital signature should have all the rithm). These algorithms are fairly sophis- ated, sent, and received) from being tam- aforementioned features of a conven- ticated and ensure that it is highly pered with by the sender (originator) tional signature plus a few more as digi- improbable for two different messages to and/or the recipient. tal signatures are being used in practical, be mapped to the same hash value. Traditionally, paper documents are but sensitive, applications such as secure There are two broad techniques used in validated and certified by written signa- e-mail and credit card transactions over digital signature computation—symmetric tures, which work fairly well as a means the Internet. Since a digital signature is key cryptosystem and public-key cryp- of providing authenticity. For electronic just a sequence of zeroes and ones, it is tosystem (cryptosystem broadly refers to documents, a similar mechanism is nec- desirable for it to have the following an encryption technique). In the symmet- essary. Digital signatures, which are noth- properties: the signature must be a bit ric key system, a secret key known only ing but a string of ones and zeroes gen- pattern that depends on the message to the sender and the legitimate receiver erated by using a digital signature algo- being signed (thus, for the same origina- is used. However, there must be a rithm, serve the purpose of validation tor, the digital signature is different for unique key between any two pairs of and authentication of electronic docu- different documents); the signature must users. Thus, as the number of user pairs MARCH/APRIL 2006 0278-6648/06/$20.00 © 2006 IEEE 5 public key. The combination of encrypt- Message ed message and signature, together with the encrypted symmetric key, form the digital envelope containing the signed Hash Message Signature Digital Message message. Figure 6 shows the process of Function Digest Function Signature opening a digital envelope, recovering Sender’s the message, and verifying the signa- Private Key ture. First, the symmetric key is recov- ered using the recipient’s private key. Fig. 1 Creating a digital signature This is then used to decrypt and recover the message and the digital signature. increases, it becomes extremely difficult message digest is compared with the The digital signature is then verified as to generate, distribute, and keep track of one recovered from the signature. If they described earlier. the secret keys. match, then it ensures that the message A public key cryptosystem, on the has indeed been sent by the (claimed) Direct and arbitrated other hand, uses a pair of keys: a pri- sender and that it has not been altered. digital signature vate key, known only to its owner, and A variety of modes have been pro- a public key, known to everyone who Creating and opening posed for digital signatures that fall into wishes to communicate with the owner. a digital envelope two basic categories: direct and arbitrat- For confidentiality of the message to be A digital envelope is the equivalent of ed. The direct digital signature involves sent to the owner, it would be encrypt- a sealed envelope containing an unsigned only the communicating parties, sender ed with the owner’s public key, which letter. The outline of creating a digital and receiver. This is the simplest type of now could only be decrypted by the envelope is shown in Fig. 3. The message digital signature. It is assumed that the owner, the person with the correspond- is encrypted by the sender using a ran- recipient knows the public key of the ing private key. For purposes of domly generated symmetric key. The sender. In a simple scheme, a digital sig- authentication, a message would be symmetric key itself is encrypted using the nature may be formed by encrypting the encrypted with the private key of the intended recipient’s public key. The com- entire message or the hash code of the originator or sender, who we will refer bination of the encrypted message and message with the sender’s private key. to as A. This message could be decrypted the encrypted symmetric key is the digital Confidentiality can be provided by fur- by anyone using the public key of A. If envelope. The process of opening the dig- ther encrypting the entire message plus this yields the proper message, then it ital envelope and recovering the contents signature with either the receiver’s pub- is evident that the message was indeed is shown in Fig. 4. First, the encrypted lic key encryption or the shared secret encrypted by the private key of A, and symmetric key is recovered by a decryp- key, which is conventional encryption. A thus only A could have sent it. tion using the recipient’s private key. sender may later deny sending a particu- Subsequently, the encrypted message is lar message by claiming that the private Creating and verifying decrypted using the symmetric key. key was lost or stolen and that someone a digital signature else forged his signature. One way to A simple generic scheme for creating Creating and opening digital overcome this is to include a time stamp and verifying a digital signature is shown envelopes carrying signed messages with every message and requiring notifi- in Figs. 1 and 2, respectively. A hash The process of creating a digital cation of loss of key to the proper function is applied to the message that envelope containing a signed message is authority. In case of dispute, a trusted yields a fixed-size message digest. The shown in Fig. 5. A digital signature is third party may view the message and its signature function uses the message created by the signature function using signature to arbitrate the dispute. digest and the sender’s private key to the message digest of the message and In the arbitrated signature scheme, generate the digital signature. A very the sender’s private key. The original there is a trusted third party called the simple form of the digital signature is message and the digital signature are arbiter. Every signed message from a obtained by encrypting the message then encrypted by the sender using a sender A to a receiver B goes first to an digest using the sender’s private key. randomly generated key and a symmet- arbiter T, who subjects the message and The message and the signature can now ric-key algorithm. The symmetric key its signature to a number of tests to be sent to the recipient. The message is itself is encrypted using the recipient’s check its origin and content. The mes- unencrypted and can be read by any- one.