Digital signature Question

From: Roger A. Grimes (rogerg_at_cox.net)
Date: 11/06/03

  • Next message: me null: "Windows IDS"
    To: <security-basics@securityfocus.com>
    Date: Thu, 6 Nov 2003 12:53:02 -0600
    
    

    It's that time of the month again, when I gain weight, retain water, and
    feel stressed...it's time for me to bug the fine folks of this list with my
    seemingly monthly question about public/private crypto stuff. I've asked a
    few questions over the months and the excellent responses have been
    overwhelming. I always get my answer (and enough wrong replies to make me
    realize that I'm not the only one still trying to understand crypto even
    after ten years in the security field). So, thanks in advance to anyone who
    answers.

    Main Question: When I hash a message to authenticate it, and then encrypt
    the hash result with a private key to make a digital signature, is the
    private key I'm using at that point (normally) a shared symmetric private
    key or my private key from my private/public key pair?

    I see many web sites (ex. www.whatis.com, and many others saying) that a
    digital signature is made when the user uses their CA assigned private key
    to encrypt the hash result. But my understanding has always been that
    private/public key crypto exists mainly to transport the more secure shared
    symmetric private key that does the original signing/encrypting.

    Hence, I think the answer is that the message hash is signed by the shared
    symmetric private key and that key is they signed by the sender's private
    key from the sender's private/public key pair. Am I correct?

    If so, when is the digital signature made? At what point...when it is
    signed by the symmetric private key or by the private key from the
    private/public key pair?

    Roger

    ****************************************************************************
    ****
    *Roger A. Grimes, Computer Security Consultant
    *CPA, MCSE:Security (NT/2000/2003), CNE (3/4), A+
    *email: rogerg@cox.net
    *cell: 757-615-3355
    *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly
    *http://www.oreilly.com/catalog/malmobcode
    *Author of upcoming Honeypots for Windows (Apress)
    ****************************************************************************
    *****

    ---------------------------------------------------------------------------
    Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
    The Presidio integrates PGP data encryption and XML Web Services security to
    simplify the management and deployment of PGP and reduce overall PGP costs
    by up to 80%.
    FREE WHITEPAPER & 30 Day Trial -
    http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
    ----------------------------------------------------------------------------


  • Next message: me null: "Windows IDS"

    Relevant Pages

    • Re: Digital signature Question
      ... Roger, I'm pretty new in the Crypto field, but I'll try -- and see if I ... The hash or "message digest", to use what seems to be the term used in the ... Then apply your private key, which is used to verify the message is ... >The Presidio integrates PGP data encryption and XML Web Services security to ...
      (Security-Basics)
    • RE: Digital signature Question
      ... I have just been involved in an Identrus PKI accreditation process for a ... So the hashing algorithm is run against the data and creates the hash. ... The hash is then signed by the private key. ... PGP / XML GATEWAY APPLIANCE ...
      (Security-Basics)
    • RE: Digital signature Question
      ... I have just been involved in an Identrus PKI accreditation process for a ... So the hashing algorithm is run against the data and creates the hash. ... The hash is then signed by the private key. ... PGP / XML GATEWAY APPLIANCE ...
      (Security-Basics)
    • Re: private key encryption - doubts
      ... > Alice creates a one-way hash and encrypt it with her private key ... So Bob now knows the private key of Alice. ... > I need to know what exactly is a digital signature. ... same symmetric key for both encryption and decryption). ...
      (comp.security.ssh)
    • Re: question about certificate verifiy using TLS
      ... and one MD5) is signed (encoded with the private key). ... Right now I'm using OpenSSL to hash (md5 and sha1). ... > With RSA, it is a bit more complex. ...
      (sci.crypt)