Unlocking Digital Signature Legitimacy for Education in Mexico

How to eSign a document: digital signature legitimacy for Education in Mexico

hey we're now going to look at digital certificates and digital signatures so this is just a straight follow-on from my video on asymmetric encryption so make sure you've watched that or at least familiar with the concept of asymmetric encryption before you watch this so in asymmetric encryption the entity that's warranting people to encrypt their messages to them publishes a public key which is available to anyone and people use that to encrypt their communications to this entity this person or business or organization whoever it is and a certificate gives us proof of ownership of a public key a public key is just a very very long number doesn't tell us who it belongs to automatically you need to associate it with the entity via a certificate certificate is like a ID for the entity and it's used to prove their identity like a passport is used to prove we are who we say we are when we go into another country it's the same idea with certificates certificates issued by certificate authorities CAS which businesses whose whole job it is to essentially associate entities with a public key of any to verify that the entity is Hugh so VR and also Vevey owned this public key and so there is an element of trust here if we see it's difficult coming from this business we're trusting them that they haven't in fact verified this person to the high enough standard and it was so this is true for passports as well when you go to another country they look at the path but we see it was issued by this government and we're trusting that government and trusting that government to have given a passport to the correct person in order to show you that this Authority has approved for certificate the authority will sign it digitally Soviets were certificate I have two sections or have a data section and a similar to section signature where this is the unique signature from fee or thority so that can be checked but later section will have details about the entity life details about fur or 40 when it expires the algorithm used to the algorithm is going to be used for subscription and the public key itself so let's have a look an actual example of this most web browsers allow you to see the certificates quite easily and one for homepage of a BBC and on Chrome just left over euro you can view for certificate if it has one so this has been shown to be valid Google Chrome has checked for signature and has found out that it's from a trusted Authority global sign it's it's still valid it will expire in 2019 and then though renew its hopefully so it shows you VI algorithms used to find the signature and also it will show you the BBC's public key anyone can view public key is not very dangerous it's a pop it's a private key you don't wanna leave sharing so you can view public key here and all sorts of information about beaver BBC and the outcrops are using to encrypt for data let's just focus on the signature section because this is they used in certificates quite clearly but they're not part they're not very separate concept essentially that's just used in this case so they also use asymmetric encryption and the general process and miss may very little but if you've learned something slightly different that's okay if a general idea is they are sent alongside a message so in this case the message is for certificate but it could just be a generic message and we append a signature onto it so what happened is the message itself will have a value calculated format like a hash value or a checksum just some value that's calculated from it that is as unique to that message as possible and then we will increase value using for private key of this person he won't wants to sign it so we take a message we calculate some value from its first as unique as possible and then further encrypt it using our private key this value produced is the signature and it's sent alongside the message a minimum message is received it's decrypted using the sender's public key because we have this key pair only the public key can decrypt it was because it's been encrypted by the private key it will then recalculate for hash to see if it matches this value so it will have the signature has been decrypted and we've got that hash value and also it will recalculate it on the message to see if it matches the value so this will give us three really important characteristics the first one being authentication probably the most important the five we can decrypt it shows we have at least some association with this entity if we frame it within the bank example again which use a lot if we're getting a message from my bank and the bank is appending a signature to it we have access to the bank's pipe bank's public key and if we try to decrypt a message using for banks publicly and it didn't work and it shows what it's being encrypted by another person someone we don't want to deal with it's a separate person that someone who can't be trusted a second really useful property of this process is for the signature itself helps us determine the integrity of a message I you ever vert message has been altered from being sent to being received because you can still alter encrypting messages so with this recalculation here or for hash is to check whether the message has been altered mid transit the whole concept of hashing algorithms you run on a message and every time you want that Algrim on the same message you get the same hash value produced if a message is slightly different if you change a few characters around or add some information to it you'll get a completely different hash value and so when we recalculate it we're checking to see if we actually do get the same one as that came on my signature if it's different than it's been altered in my transit and we want to discard it a third crucial characteristic is non-repudiation this is about not being able to deny if you've sent a message you don't want someone to turn around and say oh but wasn't me but wasn't my signature well if the private key is kept secret only about sender could have sent it and this for private keys leaked somehow which is a huge data breach only that person could have sent it because we've got four matching public key only that public key will correspond to the private key so that private key is linked to the public key if we've decrypted it but only that person could have sent the message so a digital signature is part of a certificate for certificate in this case is for message so folk compiled all this data they'll put it all together and then find for hash encrypt it and send it alongside the scene alongside the certificate in a separate section so this is the message in that context we do have digital signatures used in other places often in place of written signatures so recently I moved house and my contract I signed it using an online digital signature provider which is not still a lot more secure than my real signature which could be forged in theory so we are being used more frequently and not just in certificates just to try and summarize these four steps for if you are an entity which has a public and a private key and you want to be able to distribute for public key to your customers you will apply to a certificate authority and pay them some money and have your public key and identity verified the certificate authority will create a certificate for them it will have a date range or have other information on it about the entity itself and then vote sign that certificate to prove that they have in fact approved it this is obviously not the simplest of processes but it's really important because if a person used a public key without verifying who it came from who belong who the key belongs to they could be inadvertently sending data to an attacker so if you're meant to be communicating of your bank to use my favourite example and a hacker and somehow tricked you into believing very were in fact for bank maybe with a phishing website they could send their public key to you and then you could use the public key to encrypt data and send it to them instead if you used a certificate instead you could verify that the certificate is in fact then of course you wouldn't say my data to them anybody can create a certificate I could create one for Google or for Facebook and put my own public key on it but no browser is going to accept that certificate they don't really let you go on that website some browsers will just not let you go on a website unless it's got a valid certificate which had been signed by a trusted certificate authority