Digital signatures are mathematical schemes used to ensure the integrity and authenticity of data, files and documents. They use cryptography to authenticate to sender of a message or the signer of a document. They provide a way to verify the identity of the sender and ensure that the message or document has not been tampered with during transmission.
Digital signatures utilize the asymmetric encryption which uses one key for encryption(private key) and another key for decryption (public key). Asymmetric encryption algorithms include Rivest-Shamirr-Adleman (RSA), Diffie-Hellman, ElGamal and Elliptic Curve Cryptography (ECC).
Enough of the stories, links to further reading on digital signatures will be provided in the references. Now, let’s use sign a document using Openssl and the RSA algorithm on a Linux machine.
Open a terminal and get ready to use the commands shown in this post.
First, let's create a two dummy text files: file_1.txt and file_2.txt, adding data to them on creation.
Now we create a private key with the command , openssl genpkey -algorithm RSA -out private_key.pem.
openssl: Shows we are using openssl.
genpkey: States that a private key should be generated.
-algorithm: Specifies that we are using the Rivest-Shamirr-Adleman (RSA) algorithm
-out: Specifies and create the file to save the key to. The file should always have the .pem extension.
From the image above we can see that we have successfully created a private key. We now proceed to create a corresponding public key with the command, openssl pkey -in private_key.pem -pubout -out public_key.pem
pkey: Specifies that a public key is to be generated.
-in: Specifies the input file and takes the already generated private key to generate the public key.
-pubout: Tells openssl to extract the public key from the private key.
-out: Specifies the output file where the extracted public key will be saved.
We have a corresponding public key for the private key and can proceed to sign the files with the private key. To do this, we use the command, openssl dgst -sha256 -sign private_key.pem -out mysignature <file/filepath>
dgst: Specifies the message digest to be used to be.
-sha256: Specifies that the hashing algorithm used is sha256.
-sign private_key.pem: States that the file should be signed using the created private key.
-out mysignature: Outputs the generated signature to a file named mysignature.
Files : file_1.txt and file_2.txt have been signed with the private_key.
Now, let's verify the integrity and authenticity of the files using, openssl dgst -sha256 -verify public_key.pem -signature mysignature <file/filepath>
-sha256: Specifies that sha256 was used when signing the file.
-verify public_key: Verifies the signature using the public key stored in public_key.pem.
-signature mysignature: Specifies the file containing the digital signature.
We see that the status of the files are okay, which means that they have not been altered. Let's alter the content of file_2.txt and try to verify for authenticity yet again.
Now we get a verification failure status for file_2.txt and this is because the file has been altered.
We see that this is a simple easy way to verify that data has not been altered and this is actually employed in various application to ensure data authenticity and integrity as well as improve non-repudiation.
Well, it is best to first hash the files to be signed and then sign them to improve the security of such files. However, we just want to get away without hashing the files. We'll do that some other time.
Until we meet again, feliz piratería.
References
What is a Digital Signature? -https://www.techtarget.com/searchsecurity/definition/digital-signature
Digital Signature - https://en.wikipedia.org/wiki/Digital_signature
What is SHA Algorithm: How it Works and Applications -https://www.simplilearn.com/tutorials/cyber-security-tutorial/sha-256-algorithm