Btukfyl

Unfortunately, the answers here which claim that signing is equivalent to encryption of the message digest are not entirely correct. Signing does not involve encrypting a digest of the message. While it is correct that a cryptographic operation is applied on a digest of the message created by a cryptographic hash algorithm and not the message itself, the act of signing is distinct from encryption.

Taken from https://www.cs.cornell.edu/courses/cs5430/2015sp/notes/rsa_sign_vs_dec.php:

In the abstract world of textbooks, RSA signing and RSA decryption do turn out to be the same thing. In the real world of implementations, they are not. So don't ever use a real-world implementation of RSA decryption to compute RSA signatures. In the best case, your implementation will break in a way that you notice. In the worst case, you will introduce a vulnerability that an attacker could exploit.

Furthermore, don't make the mistake of generalizing from RSA to conclude that any encryption scheme can be adapted as a digital signature algorithm. That kind of adaptation works for RSA and El Gamal, but not in general.

Creating a digital signature for a message involves running the message through a hash function, creating a digest (a fixed-size representation) for the message. A mathematical operation is done on the digest using a secret value (a component of the private key) and a public value (a component of the public key). The result of this operation is the signature, and it is usually either attached to the message or otherwise delivered alongside it. Anyone can tell, just by having the signature and public key, if the message was signed by someone in possession of the private key. So, how does this work?

I'll use RSA as an example algorithm. First, a little background on how RSA works. RSA encryption involves taking the message, represented as an integer, and raising it to the power of a known value (this value is most often 3 or 65537). This value is then divided by a public value that is unique to each public key. The remainder is the encrypted message. This is called a modulo operation. Signing with RSA is a little different. The message is first hashed, and the hash digest is raised to the power of a secret number, and finally divided by the same unique, public value in the public key. The remainder is the signature. This differs from encryption because, rather than raising a number to the power of a known, public value, it's raised to the power of a secret value that only the signer knows.

Although RSA signature generation is similar to RSA decryption on paper, there is a big difference to how it works in the real world. In the real world, a feature called padding is used, and this padding is absolutely vital to the algorithm's security. The way padding is used for encryption or decryption is different from the way it is used for a signature. The details which follow are more technical...

To use textbook RSA as an example of asymmetric cryptography, encrypting a message m into ciphertext c is done by calculating c ≡ m^e (mod N), where e is a public value (usually a Fermat prime), and N is the non-secret product of two secret prime numbers. Signing a hash m, on the other hand, involves calculating s ≡ m^d (mod N), where d is the modular inverse of e, being a secret value derived from the secret prime numbers. This is much closer to decryption than it is to encryption, though calling signing decryption is still not quite right. Note that other asymmetric algorithms may use completely different techniques. RSA is merely a common enough algorithm to use as an example.

The security of signing comes from the fact that d is difficult to obtain without knowing the secret prime numbers. In fact, the only known way to obtain d from N is to factor N into its component primes, p and q, and calculate d ≡ e^-1 mod (p - 1)(q - 1). Factoring very large integers is believed to be an intractable problem for classical computers. This makes it possible to easily verify a signature, as that involves determining if s^e ≡ m (mod N). Creating a signature, however, requires knowledge of the private key.

Of course one can choose to sign any (part of) information one wants, and leave other parts unsigned. But usually, when we say "sign a file", we refer to signing the whole file plus the file meta-data (e.g. file modification timestamp). This is how OpenPGP and GPG work.

But, if it is not a file, say it is XML signing, you must specify which parts of the XML content are actually covered by the signature.

Also, try to differentiate signatures from encryption. These are two independent matters. One file can be unencrypted+signed, or encrypted+unsigned, or any other combination.

Signing a file, or more generally signing some content (an email message, the body of an email message, a subtree of an XML document, a portion of a certificate, a TLS handshake, etc.), means to create a sequence of bytes which is called the signature. This process has certain properties:

• There is a method for verifying the signature. Verifying the signature gives a boolean result, either “this is a good signature of the file” or “this is not a good signature of the file”.


• A good signature for a file is never a good signature for a different file. Therefore a good signature guarantees that the file is authentic. Authenticity, in security, means that some data really comes from where it's supposed to come from.


• There is a secret value called a private key or secret key. It is impossible to create a good signature of a file if you don't know that secret value.


• In a public-key scheme, there is a value associated with the private key which is called the public key. If you know the public key, you can verify signatures, but you can't create a signature of a different file.

It's important to know that anybody can sign a file, but they can only sign it with their own private key. You can't sign a file with somebody else's private key unless you somehow manage to get hold of the private key, for example by hacking their computer. So knowing that a file comes with a good signature doesn't say anything: what's important is to know that it has a good signature made with the expected private key. This means that the verifier must know the public key in advance. If the public key is transmitted alongside the signature and the message, it doesn't prove anything in itself, but it can be useful if there is some mechanism to allow the verifier to verify the public key. Such a mechanism is called a _public key infrastructure.
In other words, the signature operation turns a promise of confidentiality of the private key, and a promise of authenticity of the public key, into a guarantee of authenticty of the file.

A signature generally means “I approve of this content”. What “approve” means depends on the context. For example:

• When Microsoft distributes a Windows update that is signed with Microsoft's Windows update signature key, the signature means that this particular code update has been approved by Microsoft. If someone wants to distribute malware and pass it off as a Windows update, they won't be able to create a good signature for it, and so the Windows update application will reject the update.


• If you receive a mail that is signed, it means that it was really written by the person who signed it (or that their machine was compromised). You don't get this guarantee from the From: line of an email in general because anybody can write whatever they want there. (Some distribution systems make it harder, but in general on the Internet there's no way to prevent people from writing whatever they want in the From: line.)


• When a certificate authority signs a certificate, what they are saying is that they have verified that the owner of the domain name listed in the certificate is the owner of the private key for which the corresponding public key is in the certificate. This kind of statement associating a name with a public key is the basis of public key infrastructures.


• When a TLS server signs the handshake of a TLS connection, it allows the client to verify that they are who they claim to be. Anyone can sign a TLS handshake, but only Google can sign a TLS handshake with the public signature for google.com.

The signature is a separate piece of data. It can be bundled in a zip file along with the signed data, added as an attachment to an email, added to an XML file as a separate node, etc. In a certificate, the signature bundled alongside the signed data. In a TLS handshake, the signature is a separate part of the messages sent by the server.

Do we sign the whole file so it becomes sort of encrypted?

No. The signature depends on the content of the file, but you can't recover the content of the file from the signature. The content needs to be transmitted alongside the signature. The content can be encrypted, but that's independent from signing it.

Is there like a piece of plain text that we sign and pass it through, for example, a zip, and let the receiving side checks that piece based on a particular protocol before going any further?

Yes, exactly. The sender passes the file content (the zip or text or whatever) to sign and the private key to the signature function, and gets the signature out. (The word “signature” can refer to either this process or to the output of this process.) The recipient passes the content and the public key to the verification function, and gets a result “it's good” or “it's bad”. Generally the recipient refuses to do anything with the content if the signature is bad.

As far as I can see, if we sign the whole file, then it can be more secure as the contents would be encrypted (or signed).

Signing something doesn't encrypt anything. Signing the whole file is more secure than signing part of a file in the sense that the signature only gives you some security about the part that is signed. If you sign part of a file then the unsigned part could be anything.