Digital signature Question

From: Roger A. Grimes (rogerg_at_cox.net)
Date: 11/06/03

  • Next message: me null: "Windows IDS"
    To: <security-basics@securityfocus.com>
    Date: Thu, 6 Nov 2003 12:53:02 -0600
    
    

    It's that time of the month again, when I gain weight, retain water, and
    feel stressed...it's time for me to bug the fine folks of this list with my
    seemingly monthly question about public/private crypto stuff. I've asked a
    few questions over the months and the excellent responses have been
    overwhelming. I always get my answer (and enough wrong replies to make me
    realize that I'm not the only one still trying to understand crypto even
    after ten years in the security field). So, thanks in advance to anyone who
    answers.

    Main Question: When I hash a message to authenticate it, and then encrypt
    the hash result with a private key to make a digital signature, is the
    private key I'm using at that point (normally) a shared symmetric private
    key or my private key from my private/public key pair?

    I see many web sites (ex. www.whatis.com, and many others saying) that a
    digital signature is made when the user uses their CA assigned private key
    to encrypt the hash result. But my understanding has always been that
    private/public key crypto exists mainly to transport the more secure shared
    symmetric private key that does the original signing/encrypting.

    Hence, I think the answer is that the message hash is signed by the shared
    symmetric private key and that key is they signed by the sender's private
    key from the sender's private/public key pair. Am I correct?

    If so, when is the digital signature made? At what point...when it is
    signed by the symmetric private key or by the private key from the
    private/public key pair?

    Roger

    ****************************************************************************
    ****
    *Roger A. Grimes, Computer Security Consultant
    *CPA, MCSE:Security (NT/2000/2003), CNE (3/4), A+
    *email: rogerg@cox.net
    *cell: 757-615-3355
    *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly
    *http://www.oreilly.com/catalog/malmobcode
    *Author of upcoming Honeypots for Windows (Apress)
    ****************************************************************************
    *****

    ---------------------------------------------------------------------------
    Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
    The Presidio integrates PGP data encryption and XML Web Services security to
    simplify the management and deployment of PGP and reduce overall PGP costs
    by up to 80%.
    FREE WHITEPAPER & 30 Day Trial -
    http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
    ----------------------------------------------------------------------------


  • Next message: me null: "Windows IDS"