Skip to main content
Cryptography Basics
CHAPTER 08

Digital Signatures and Authentication

Updated: May 15, 2026
25 min read

# CHAPTER 8

Digital Signatures and Authentication

1. Introduction

If you receive an email from the CEO instructing you to wire $50,000 to an offshore account, how do you mathematically prove the CEO actually sent it, and that a hacker didn't spoof their email address? In the physical world, we use handwritten signatures to verify identity and intent on contracts. In the cyber world, we use Digital Signatures. In this chapter, we will combine the concepts of Asymmetric Cryptography and Hashing to establish the ultimate cryptographic proof of identity: Non-repudiation.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Define the concept of Non-repudiation in cryptography.
  • Understand how Asymmetric keys are used in reverse for signing.
  • Explain the step-by-step workflow of generating a Digital Signature.
  • Understand how Digital Signatures guarantee both Identity and Data Integrity.
  • Differentiate between a physical electronic signature and a cryptographic Digital Signature.

3. Beginner-Friendly Explanation

Imagine a king sending a royal decree via a messenger.
  • The Problem: A spy intercepts the messenger, burns the king's letter, writes a fake letter declaring war, and delivers that instead.
  • The Solution (The Wax Seal): The king writes the letter, drips hot wax on the envelope, and presses his unique, heavy golden ring into the wax.
  • The Verification: When the receiver gets the letter, they look at the wax. If the wax is broken, they know the letter was tampered with (Integrity). Because only the king possesses that specific golden ring, the unbroken seal proves the king definitely sent it (Authentication).

A Digital Signature is the mathematical equivalent of the king's unforgeable wax seal.

4. Reversing Asymmetric Cryptography

In Chapter 5, we learned Asymmetric Encryption for *Confidentiality*:
  • Encrypt with the Public Key -> Decrypt with the Private Key.

Digital Signatures use Asymmetric Cryptography for *Authentication* (Reversing the process):

  • Encrypt with the Private Key -> Decrypt with the Public Key.
Wait, if you encrypt something with your Private Key, *anyone* in the world can decrypt it using your Public Key! Doesn't that ruin the secrecy? Yes. Digital Signatures do NOT provide secrecy. They provide proof of origin. If a message can successfully be decrypted using Alice's Public Key, it mathematically proves that it *must* have been encrypted by Alice's Private Key. Therefore, Alice definitely sent it.

5. The Digital Signature Workflow

Sending an entire file encrypted with a slow Private Key takes too long. Instead, we use Hashing. How Alice signs a contract and sends it to Bob:
  1. 1. Hash: Alice runs the contract (a PDF) through a hash function (e.g., SHA-256) to create a fingerprint: A1B2...
  1. 2. Sign: Alice encrypts *only the hash* using her Private Key. This encrypted hash is the "Digital Signature."
  1. 3. Send: Alice sends the plaintext contract AND the Digital Signature to Bob.

How Bob verifies the contract:

  1. 1. Decrypt: Bob receives the package. He uses Alice's Public Key to decrypt the Digital Signature, revealing the hash: A1B2...
  1. 2. Hash: Bob runs the plaintext contract through the same SHA-256 hash function himself.
  1. 3. Verify: Bob compares his hash with Alice's hash. If they match exactly, Bob knows two things with 100% certainty:
  • Alice sent it (Because her Public Key worked).
  • The contract hasn't been altered (Because the hashes match).

6. Non-repudiation

Because Alice is the only person in the universe who possesses her Private Key, she cannot later claim, "A hacker sent that contract, not me!" The mathematics prove her involvement. This concept is called Non-repudiation and is the foundation of legally binding digital contracts and blockchain transactions.

7. Mini Project: Sign and Verify Messages Concept

Let's conceptualize this using OpenSSL in the terminal.

Step-by-Step Walkthrough:

  1. 1. Alice hashes the document:
``bash openssl dgst -sha256 -out contract.hash contract.txt `
  1. 2. Alice Signs the hash with her Private Key:
`bash openssl pkeyutl -sign -in contract.hash -inkey aliceprivate.pem -out contract.sig ` *(She sends contract.txt and contract.sig to Bob).*
  1. 3. Bob Verifies the signature using Alice's Public Key:
`bash openssl pkeyutl -verify -in contract.hash -sigfile contract.sig -pubin -inkey alicepublic.pem ` *Output:* Signature Verified Successfully

8. Real-World Scenarios

When a developer writes a software update for your iPhone, how does your phone know the update actually came from Apple, and not from a hacker trying to install a virus? Apple digitally signs the software update package using Apple's heavily guarded corporate Private Key. Your iPhone has Apple's Public Key permanently hardcoded into its operating system. Before installing the update, the iPhone verifies the digital signature. If the signature is invalid (meaning it wasn't signed by Apple), the phone refuses to install the malware.

9. Best Practices

  • Do not confuse Electronic Signatures with Digital Signatures: Using a stylus to draw your name on an iPad is an "Electronic Signature." It is easily copied and pasted, offering zero cryptographic security. A "Digital Signature" is a mathematical algorithm that securely binds the identity of the signer to the exact, unaltered contents of the document.

10. Legal and Ethical Notes

Under laws like the ESIGN Act (US) and eIDAS (EU), cryptographic Digital Signatures carry the exact same legal weight as a wet-ink signature on a piece of paper. You can be held legally and financially liable for contracts signed with your Private Key.

11. Exercises

  1. 1. Explain the workflow of creating a Digital Signature. Why do we encrypt the *hash* of the document rather than the entire document itself?
  1. 2. Define Non-repudiation. Why is this concept critical for online banking transactions?

12. FAQs

Q: If Alice's Private Key is stolen, does Non-repudiation still hold true? A: No. If a hacker steals Alice's Private Key, they can forge her signature perfectly. This is why Private Key compromise is catastrophic. Alice must immediately revoke her key (publish a notice that it was stolen) so others know not to trust future signatures.

13. Interview Questions

  • Q: Describe how Asymmetric Cryptography is used in reverse to achieve Authentication instead of Confidentiality.
  • Q: A user downloads a binary file and an associated .sig` file from a vendor. Detail the exact cryptographic process the user's system performs to verify the integrity and authenticity of the downloaded binary.

14. Summary

In Chapter 8, we achieved the final pillar of cryptographic trust: Non-repudiation. We learned that by reversing the asymmetric process—encrypting with the Private Key—we can mathematically prove the origin of a message. By combining this with Hashing, we created the Digital Signature, a mechanism that simultaneously guarantees who sent a file and proves the file was never altered in transit. Digital signatures are the invisible seals that secure software updates, financial ledgers, and global commerce.

15. Next Chapter Recommendation

We know how to encrypt data, and we know how to sign it. Now, how do we combine all these moving parts—Symmetric Keys, Asymmetric Keys, Hashes, and Signatures—into a single seamless protocol that secures the entire web? Proceed to Chapter 9: SSL/TLS and HTTPS Basics.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Password Security and Hashing
Next Chapter SSL/TLS and HTTPS Basics

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

Related Quizzes 5