You may come across a requirement to digitally sign an email or a notion of digital signatures. But what does that mean? Does it mean the email is encrypted and only recipient can read it? Not at all.

Digital signatures provide so-called non-repudiation, which is the combination of two goals of a cryptosystem: Authentication and Integrity. This method proves that a document was signed by the owner (Authentication) and the message has not been altered (Integrity). The signature is usually attached to the original document.

Digital signatures use both asymmetric encryption and a hash algorithm (e.g. RSA and SHA-1). Asymmetric encryption means that there are two keys: one is private and the other one is public. The message encrypted with a private key may be decrypted with the public key and the other way around.

CREATE DIGITAL SIGNATURE

1. Sender generates a message digest by applying hash algorithm to the message. → Text + Hash = Message Digest

2. Message digest is encrypted with the private key of the signer. This creates a digital signature. → Message Digest + Private Key = Digital Signature

3. Sender attaches the digital signature to the document.

VERIFY DIGITAL SIGNATURE

1. Receiver runs a hash algorithm against the text/message (since it is sent in plaintext) to generate the message digest. → Text + Hash = Message Digest

2. Receiver decrypts the digital signature with the public key to reveal the message digest. → Digital Signature + Public Key = Message Digest

3. Compare two message digests. If they match, it is non-repudiation. If the message digests do not match, either the sender is bogus or the integrity has been violated or both. → Message Digest = Message Digest

Digital signatures do not provide confidentiality or secrecy because the text is still sent in plaintext. If confidentiality is vital, another form of encryption must be applied to achieve this goal.