Re: Digital signature Question

[Hollis Johnson <hollis () cisco com>]

Roger, I'm pretty new in the Crypto field, but I'll try -- and see if I 
know what I'm talking about.

The hash or "message digest", to use what seems to be the term used in the 
books, uses a symmetric or "shared" key. This is used to verify the 
contents of the message.

Then apply your private key, which is used to verify the message is 
actually from you, or non-repudiation.

The two separate issues are:

- the message I see is what you sent
- the message I see is from you

Does that make sense??

And we'll see if I'm correct or correct-ed :-)


At 12:53 PM 11/6/2003 -0600, Roger A. Grimes wrote:
> It's that time of the month again, when I gain weight, retain water, and
> feel stressed...it's time for me to bug the fine folks of this list with my
> seemingly monthly question about public/private crypto stuff.  I've asked a
> few questions over the months and the excellent responses have been
> overwhelming.  I always get my answer (and enough wrong replies to make me
> realize that I'm not the only one still trying to understand crypto even
> after ten years in the security field).  So, thanks in advance to anyone who
> answers.
>
> Main Question:  When I hash a message to authenticate it, and then encrypt
> the hash result with a private key to make a digital signature, is the
> private key I'm using at that point (normally) a shared symmetric private
> key or my private key from my private/public key pair?
>
> I see many web sites (ex. www.whatis.com, and many others saying) that a
> digital signature is made when the user uses their CA assigned private key
> to encrypt the hash result.  But my understanding has always been that
> private/public key crypto exists mainly to transport the more secure shared
> symmetric private key that does the original signing/encrypting.
>
> Hence, I think the answer is that the message hash is signed by the shared
> symmetric private key and that key is they signed by the sender's private
> key from the sender's private/public key pair.  Am I correct?
>
> If so, when is the digital signature made?  At what point...when it is
> signed by the symmetric private key or by the private key from the
> private/public key pair?
>
> Roger
>
> ****************************************************************************
> ****
> *Roger A. Grimes, Computer Security Consultant
> *CPA, MCSE:Security (NT/2000/2003), CNE (3/4), A+
> *email: rogerg () cox net
> *cell: 757-615-3355
> *Author of Malicious Mobile Code:  Virus Protection for Windows by O'Reilly
> *http://www.oreilly.com/catalog/malmobcode
> *Author of upcoming Honeypots for Windows (Apress)
> ****************************************************************************
> *****
>
>
> ---------------------------------------------------------------------------
> Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
> The Presidio integrates PGP data encryption and XML Web Services security to
> simplify the management and deployment of PGP and reduce overall PGP costs
> by up to 80%.
> FREE WHITEPAPER & 30 Day Trial -
> http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------