Ensuring Digital Signature Lawfulness for Personnel in UAE

How to eSign a document: digital signature lawfulness for Personnel in UAE

Welcome back, and in this lesson, I want to talk about digital signing or digital signatures. This is a process which you need to be familiar with to understand many other areas of IT, such as DNS sec or SSL certificates. If you haven't watched my video on hashing, it's linked in the description, and you should pause this video and go and do that now because it's required knowledge for this video. At this point, though, let's jump in and get started straight away. Now, before I cover how digital signatures work in detail, I want to give you a quick refresher on public key cryptography. With public key cryptography, you generate two keys as part of the pair. We have on the left the private key, and this part is secret and should only ever be known by the owner. Then we have the public key, and this is not secret. In fact, anyone can know it or possess it. It should be public, and ideally, as widely distributed as possible. Now, these keys are related. They're generated as part of one operation. It means that you can take the public key, which, remember, anyone has or anyone can get, and use it to encrypt data which can then only be decrypted by the matching private key. The data can't even be decrypted using the same public key which encrypted it. So it allows you to securely send data to the owner of the private part of a public key. What this architecture also allows is that you can take something and sign it using the private key. And think of this just like encryption, but where anybody who receives the data and has the public key can view the data and verify that the private key part was used to sign it. And this provides a way to evidence that you are in control of the private key used to sign some data. Since the private key is secret and since only you should have it, this provides a way to establish a form of digital identity or digital validation. This signing architecture is important because it forms the foundation of many other IT processes. The process of adding digital signatures to data adds two main benefits when used in conjunction with hashing. It verifies the integrity of the data, that the data you have is what somebody produced. And it verifies the authenticity so that the data that you have is from a specific person. So integrity is what and authenticity is who. Together, it means that you can download some data from Bob and verify that Bob produced the data and that it hasn't been modified. Nobody can falsify data as being from Bob and nobody can alter the data without you being able to tell. Now, a key part of this process is that it's layered on top of normal usage. So if somebody doesn't care about integrity or authenticity, they can access data as normal, without any of these checks. And to enable that, the first step is to take a hash of the data that you're going to be validating. The original data remains unchanged in plain text or whatever its original format is. If you don't care about the integrity and authenticity, then you can use the application or consume the data without worrying about any of this process. Now, this means that anybody having both the data and the hash knows that the data is the original data that Bob produced, assuming that they trust the hash to be genuine, and that's what digital signatures enable. Next, Bob signs the hash using his private key. And this authenticates the hash to Bob. Bob's public key can be distributed widely onto many locations that Bob controls, and using this public key, you can access the signed hash. Because of this, you know it came from Bob's private key, i.e., Bob. And so the hash is now authenticated as being from Bob. Nobody can falsify a hash because only one person, Bob, has Bob's private key. So now we know the hash is from Bob. We can verify that because we have Bob's public key. We know the hash can't be changed because only Bob has Bob's private key, and only the private key can sign anything and appear to be from that private key. We now have this authenticated hash, and we verified the integrity because of the private-public key relationship. We also have the original document and we know that it's authentic because if it was changed, then the hash wouldn't match anymore. So if we trust Bob's public key, then we know that anything being signed by his private key is authentic. Because we know that Bob, and Bob only, have this private key, then we trust the entity, i.e., Bob. And because Bob can now digitally sign a hash, we know that any data that we receive from Bob is both authentic, i.e., Bob has authored this data, and it's not been changed during transit or download. So we have this chain of trust, and this chain of trust, using public key cryptography, signing and hashing, forms the foundation of many things within IT which you take for granted. Okay, so now that you understand the basic building blocks of this process, let's step through this visually. So step one is Bob and his private key. Bob is the only person to have his private key, but he's uploaded his public key to his website, his Twitter account, various public key directory services, and he includes a link to his public key in all of the emails that he sends. Now, if you look at all of these copies of his public key, if all of them match, then you can assume that they're valid and from Bob. To exploit this, you'd have to take over all of these services at the same time and change all mentions of his public key. So the wider the distribution of the public key, the easier it is to spot if any of them have been modified. So let's say that Bob creates a contract to send to a business partner, and he wants others to be able to verify, firstly, that he sent it, and that it wasn't altered in transit. So the next step is that he puts the document through a hash function, which results in a hash. The hash, as you've learned, is unique to this document. No other document can have this hash, and any changes to this document also change this hash, and you can't derive the document from the hash. What we can't prove yet is that Bob created this hash or that the hash hasn't changed as part of faking the document. So to fix this, Bob uses his private key and he signs the hash, and this creates a signature. And he bundles this signature with the original document, which creates a signed document. So this signed document is the original document, so the data plus a copy of the signed hash of that document. And that data is going to be hosted somewhere. So let's say that Bob uploads it to the internet, or he emails the document to somebody, or stores it on some cloud storage. Now, next, one of Bob's business partners downloads the contract, so the signed data. And the first thing is to get Bob's original hash. And so to do that, we take the signature and Bob's public key, and that gives us back Bob's hash. So now we know that this hash is signed by Bob and we know that Bob created this hash, and this means that we know what Bob thought that the hash of the document was. We know the original state of the document when Bob generated the hash. So we take the document and we hash it with the same hash function as Bob used. So now we have our hash of the document and we have Bob's original hash, verified to be from Bob. Now, if these two hashes match, you know that the document that you have is the document that Bob generated. It hasn't been altered. And you know that it originated from Bob because his hash was signed using his private key to generate the signature which is part of this document, which is digitally signed. And this is how hashing, together with public key cryptography, specifically signing, can be used to verify authenticity and integrity. Now, Bob could have taken this a step further and encrypted all of this with the public key of the intended recipient and ensured that all of this process could happen in a fully encrypted way, but encryption and signing are two slightly different things, which are both enabled by the same public key cryptography architecture. Now, at this point, that's everything I wanted to do. I just wanted to give you a really high-level overview of how digital signatures can be used to verify both the integrity and the authenticity of data. Now, you're going to be using this knowledge as you learn about other important IT processes, so it's really important that you understand this end to end. But at this point, that is everything I wanted to cover in this video. So go ahead and complete the video, and when you're ready, I'll look forward to you joining me in the next.