Home page logo
/

basics logo Security Basics mailing list archives

RE: Digital signature Question
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 6 Nov 2003 12:48:24 -0800

  The point of using a symmetric key and encrypting it using
the private key is that you've got a lot of data to encrypt
and using the asymmetric private key on it would take too long.
  In the case of a digital signature, the digest you're
encrypting is not much bigger than a symmetric key -- adding a
symmetric key encrypted with the private key would add
substantially to the volume of encrypted data without appreciably
reducing the decrypt effort.

  So while you certainly *could* do it that way, I wouldn't
expect the usual reason for doing it to offer any payoff in
this case.

David Gillett


-----Original Message-----
From: Roger A. Grimes [mailto:rogerg () cox net]
Sent: November 6, 2003 10:53
To: security-basics () securityfocus com
Subject: Digital signature Question


It's that time of the month again, when I gain weight, retain
water, and
feel stressed...it's time for me to bug the fine folks of
this list with my
seemingly monthly question about public/private crypto stuff.
 I've asked a
few questions over the months and the excellent responses have been
overwhelming.  I always get my answer (and enough wrong
replies to make me
realize that I'm not the only one still trying to understand
crypto even
after ten years in the security field).  So, thanks in
advance to anyone who
answers.

Main Question:  When I hash a message to authenticate it, and
then encrypt
the hash result with a private key to make a digital signature, is the
private key I'm using at that point (normally) a shared
symmetric private
key or my private key from my private/public key pair?

I see many web sites (ex. www.whatis.com, and many others
saying) that a
digital signature is made when the user uses their CA
assigned private key
to encrypt the hash result.  But my understanding has always been that
private/public key crypto exists mainly to transport the more
secure shared
symmetric private key that does the original signing/encrypting.

Hence, I think the answer is that the message hash is signed
by the shared
symmetric private key and that key is they signed by the
sender's private
key from the sender's private/public key pair.  Am I correct?

If so, when is the digital signature made?  At what point...when it is
signed by the symmetric private key or by the private key from the
private/public key pair?

Roger

**************************************************************
**************
****
*Roger A. Grimes, Computer Security Consultant
*CPA, MCSE:Security (NT/2000/2003), CNE (3/4), A+
*email: rogerg () cox net
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for
Windows by O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of upcoming Honeypots for Windows (Apress)
**************************************************************
**************
*****


--------------------------------------------------------------
-------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web
Services security to
simplify the management and deployment of PGP and reduce
overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-bas
ics_031027
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault