How do digital signatures prevent duping the system?
I'm a consulting project manager so I have to admit I don't know all the intricacies needed to develope a secure environment. I've read many of the articles that say digital signitures will verify the message came from who the person says he is, and that a hash is used to determine if the message has been tampered with, but none of the articles I have seen says how that works. What is to keep somebody else from installing somebody else's certificate on their own computer and duping the system? How does a hash tell if the message has been tampered with?
A digital signature uses encryption technology to support data integrity and nonrepudiation. A digital signature provides proof that a particular person (the signatory) sent a piece of information (the signed data). Digital signatures rely on public key cryptography rather than certificates. You create a digital signature by using your private key to apply a signing encryption algorithm to the data being signed. The signing algorithm does not modify the data, but it does produce a unique value (the hash), which is the digital signature. The receiver verifies the signature by applying a verification encryption algorithm to the same data, but this time using the signatory?s public key. The generated value should match the digital signature. If the signed data have been tampered with in any way during transport, the signatures won?t match. Because only the signatory has access to the private key, the receiver is assured that the signed data did in fact come from that person and that the data have not been altered in any way.
This was first published in April 2003