Digital Signatures and Digital Certificates

During my recent work on setting up Kubernetes for our org, I came across the kubernetes components authenticating with each other using ca certs. That is when I realised that digital signatures, SSL certificates, certification authority are some terms that I’ve come across regularly as a developer but never understood them really. I actually started investigating how ca certificates worked during which I realised that they relied on digital signatures. So here we are, myself trying to solidify my understanding of how digital signatures work by blogging about it.

Before understanding digital signatures, we need to understand what asymmetric cryptography is. I’ll not be going into the details of asymmetric cryptography. It is frankly quite mathematical for me to understand at this point(With time you never know what you’ll be working on). Asymmetric cryptography is about a pair of keys that are mathematically linked to each other. A message that is encrypted using one key of a pair can only be decrypted using the other key of the pair. This is mostly what online security is all about.

Digital Signatures

We all know what a signature is used for. It’s primary purpose is to identify a specific person. Functionality wise digital signatures are exactly the same. The details of how it is implemented is quite different from a physical signature. First things first, similar to regular signatures, digital signatures are also used only to identify the author of a document. It has nothing to do with securely transferring the document. Let me explain the steps that are followed to digitally sign a document using an example. Lets consider Jack wants to send a document to Jill. Jill wants to be sure that the document was indeed authored by Jack.

1. Jack creates a digest of a document. This is another cryptographic function that ensures a one way encryption (hashing) with no way to get the original message from the digest. Commonly used digest algorithms include sha256 which was invented by NSA.
2. Jack creates a public and private key pair(asymmetric key cryptography). Jack shares the public key with Jill by either sending it directly or putting it in a shared place. To avoid a man in the middle attack during this phase(i.e., a malicious entity could change the public key that is sent to Jill with something that is generated by itself), Digital Certificates are used. We’ll look at Digital Certificates in the next section. For now lets assume that Jill has got the public key of Jack successfully
3. Jack encrypts the digest of the document that he generated in step 1 using the private key he generated in step 2.
4. Jack then embeds the encrypted digest with the original document and then sends it over to Jill.
5. Jill now has the document as well as the encrypted digest. Jill would want to be sure that the document that she has received was indeed authored by Jack. Since she has Jack’s public key, she uses it to decrypt the digest.
6. Jill also runs the same digest algorithm that Jack ran on the document to generate a new digest. If the new digest that Jill generated matches the decrypted digest, then Jill can be sure that the message was authored by Jack.

The only step that could be exploited is step 2 where Jill needs to get the public key of Jack. Anybody could claim that they are Jack and send their public key to Jill. To avoid this Jack needs to procure a Digital Certificate and send it along with the document to Jill.

Digital Certificates

A Digital Certificate is used to identify a person or organisation. It is generally issued by a Certificate Authority(for eg., verisign, symantec). These certificate authorities also have public and private key pairs generated and owned by them. The public keys of these well known certificate authorities are present with standard browsers and web clients.

Lets see the relevant components of a Digital Certificate

1. Identity of the entity which is verified by the Certificate Authority
2. Public key generated by the entity
3. Issuer Details
4. Expiry Date

The Digital Certificate is digitally signed by the Certificate Authority. This signing process is the exact same process that was described in the previous section and is used to validate that the digital certificate was indeed authored by the Certificate Authority. The certificate authority uses its own asymmetric key pairs to sign the digital certificate. The public key of the asymmetric pair that the Certificate Authority uses is stored in the local system’s certificate store and it generally comes along with the OS. For example, in case of debian systems, these certificates are distributed as part of the ca-certificates package.

Now lets come to the problem in step 2 of the previous section(Digital Signatures). We had mentioned that the process of distributing the public key of the sender to the receiver could be a potential point of a security attack. Since distribution of the public key of the Certificate Authorities are taken care by the underlying OS, when the sender uses a Digital Certificate to distribute his public key, the receiver can be sure of the public key of the sender after validating the signature on the Digital Certificate.

For the sake of brevity, I’ve not explained about Chain of Trust in this article. This article was heavily inspired from this excellent YouTube video. It gives a nice visual explanation of the whole concept. Since this is a very basic concept around which internet security is built upon, I think every developer should know these basics. In this article we’ve looked at how entities can establish their identity digitally. In the following articles, I’ll explain how ssl is used to securely transfer data between two parties over a network.