In the previous short blog, we covered the basics of encryption.
In this article, let's take it a step further and talk about hashing and digital signatures.
First question that arises is why do we even need hashing or digital signatures ?
Let us consider a scenario where we have a person named Alice trying to send some data safely using public key cryptography to Bob. But, Bob is still skeptical. He wants a surity or assurance that the data that was transferred came from Alice and no one else interfered in the process. This is where hashing and digital signatures play a huge role. Let us briefly go through these two concepts and how they can be intertwined with each other.
Hashing
It is a process in which data (images, files, etc) can be converted into a fixed length representation of the data.
For example,
With the use of hash functions, This yawning cute cat picture is converted into something like this :-
You will notice two things here :-
Used md5sum
Repeated the command twice.
Both were done intentionally;
In this command, md5 hashing algorithm is used which is called as a hashing function as mentioned above.
If you notice the hash that were created with the same data is exactly the same. Essentially, it means that same data will generate the same hash; this is how we will know that data was not tampered with.
Disclaimer: MD5 algorithm is known to have certain discrepancies in the way it generates hash; sometimes it may generate the same hash for different files. Hence, it is necessary to use modern, most used algorithms such as SHA2-256 algorithm.
Once the data is converted to hash, it cannot be converted back to its original form.
But how does this process help in deriving the original owner of the data ?
This will become more clearer when we continue with the above mentioned analogy.
Digital Signatures
Two principles are satisfied by using Digital Signatures.
Authenticity (WHO)
Integrity (What)
Digital Signatures are when the private key is used to create a signature, and the corresponding public key is used to verify the signature.
Now, let us come back to Alice and Bob analogy to drive the concepts home. Alice is more than happy to satisfy Bob's request of reassurance. This is what alice does :-
Data is injected in a hash function giving her a hash.
Alice generates a private/public key pair.
Using the private key, Alice signs the generated hash. Think of signing as an authenticity mark from the owner. Therefore, hash cannot be changed as nobody has the private key.
Alice can store the public key anywhere she wants to so that bob can recieve it; be it be email chain, storage services, S3 in AWS, Google Storage, etc. There is no cause for being concerned even if an attacker gets hold of the public key.
Alice transfers the signed hash along with the original data to Bob.
Bob receives the data and the signed hash.
Bob then uses Alice's Public key to derive the original hash.
It essentially means the original private key in combination with public key was used to decrpyt the signed hash into its original form.Bob uses the same hash function to generate a hash. Since same data is being used with the exact same hash function, it should generate the same hash hence reassuring bob that the data was definitely sent by Alice.
Bob compares his generated hash with the decrypted hash.
Bob is ecstatic seeing the hashes match !!!
Disclaimer: If the hashes do not match, it confirms that data was not sent by alice or it has being tampered with.
Hence, hashing in combination with digital signatures makes the transfer of data secure, reliable and authentic.
This is all what I wanted to cover in this article.
Stay Tuned for more...