Digital signatures should be one of your most favorite things to study for the CISSP exam.
By knowing the concept of digital signatures, you also get to know about these 4 other things:
Hashing
Nonrepudiation
Encryption
Authentication
All 4 of the terms above go into making digital signatures possible. If you were ever confused about any of these terms or how they really work, I hope the following section clears any doubt.
Steps to Create a Digital Signature
SENDER
STEP 1
You have this message to send your server administrator
"Update servers at midnight"
STEP 2
If you run this message through an MD5 hash generator, you get "2d0844f36f49d9773c16cbedf0622287"
Fact: Every time you use the MD5 hashing algorithm to hash the message "Update servers at midnight", you will always get the output of "2d0844f36f49d9773c16cbedf0622287".
I tried two different online MD5 hash generators, you can try yourself here:
http://passwordsgenerator.net/md5-hash-generator/
http://www.md5hashgenerator.com/
CISSP Tip: Try it yourself with the above links for that extra push into truly understanding the concept. Once you experience something from your CISSP studies in real life, it helps to truly know the concept instead of memorizing it.
If you hashed a message, and I knew what algorithm (MD5 or SHA1) you used to hash the message, I can always re-run the same message through the same hash algorithm to get the same message digest. Remember, there is no encrypting or decrypting in hashing (sometimes I say it accidentally.) Hashing is one-way, the sender just sends it, there is no decryption or hashing back from the receiver to the sender unless is running the hash again.
But I have to know the exact message, including letters that are uppercase or lowercase. If just one letter is different when I go to decrypt the message, then the entire hash will be different. For example, here is the hash of the message "update servers at midnight" without the "u" capitalized:
"24ea1247b7fb736b373c25691f90e971"
See how the output of this hash is not even close to the hash of the message when I didn't capitalize the "u" in update?
This is how hashing provides integrity, and does not provide confidentiality. If just one character is changed during transmission, the entire hash is changed.
STEP 3
Take the hash output, and encrypt it with your private key to get:
"evuPFdPUA/98IVL7+mBP/JRdUPwlzcTY6HSexpFFHhsMvHwUaz+T5sfcnU7MO3c7"
I used this site to encrypt the hash from Step 2:
http://aesencryption.net/
To Recap
Original Message
Update servers at midnight
Hash of that message
2d0844f36f49d9773c16cbedf0622287
Hash encrypted with AES-128 bit private key (password: cissp)
evuPFdPUA/98IVL7+mBP/JRdUPwlzcTY6HSexpFFHhsMvHwUaz+T5sfcnU7MO3c7
To complete the transaction, you SENT THE ORIGINAL MESSAGE and the ENCRYPTED HASH to the receiver.
CISSP TIP: THIS...this is why a digital signature does not provide confidentiality. Because you are clearly sending the original message in plaintext over the public Internet to the receiver, anybody can read the message. It is when we encrypt the entire process of a digital signature with asymmetric encryption, do we finally provide confidentiality. But for digital signatures by themselves, they do not provide confidentiality.
Digital signatures provide authenticity, nonrepudiation, and integrity. If the digital signature itself is encrypted, then it provides confidentiality.
RECEIVER
STEP 4
The receiver takes the encrypted hash, and decrypts it with your public key.
The decryption reveals the MD5 hash of the original message
"2d0844f36f49d9773c16cbedf0622287"
Since the message can only be decrypted by your public key, this confirms authentication of the message, as well as nonrepudiation.
Nonrepudiation means the sender cannot deny they are the one who sent the message, because only they should have their private key to sign the hash output. Which in turn means the sender also has confirmation the delivery of the message since someone has been able to decrypt it with their corresponding public key.
STEP 5
Receiver also runs the original message through the MD5 hash generator:
"2d0844f36f49d9773c16cbedf0622287"
It is the same hash that was produced by the sender, this confirms integrity of the sent message. The receiver can be sure not one character has been changed while data is in motion.
By using the public key of the sender to decrypt the encrypted hash, and by running the MD5 algorithm on the original message, the receiver can confirm authenticity, nonrepudiation, and integrity.
This is the process of a digital signature. If you have any questions, comments, or corrections, leave me a comment.