Unlocking Digital Signature Licitness for Technology Industry in Canada

How to eSign a document: digital signature licitness for Technology Industry in Canada

Hey there! Today we are going to talk about  what a digital signature is,   and what it means to digitally sign an electronic  document, for example, an SSL certificate,   which we discussed in the previous video.  There are two things, you should understand,   before we can move on. First is hash functions,  and second is asymmetric pairs of encryption keys.   It may sound scary, but the concepts are very  simple, so bear with me. Lets start with the   hash functions. If you have some data, and you  apply a hash function to the data, the outcome   of the function will be a new string of a fixed  length, called digest. And as long, as you (or   anybody else) apply the same hash function to the  same data, it always produces the same outcome.   At the same time, when you (or anybody else)  apply that hash function to different data,   the outcome will be a different  string of the same length.   Now lets get to the asymmetric pair of encryption  keys. As you may already know from my other   videos, asymmetric pair of encryption  keys is a public key, and a private key.   The public key is something, that can be  publicly distributed, and available to anybody,   hence the name "public", while the private  key must be kept in secret by the owner,   and hence the name "private". The main thing  about these keys, is that if some data is   encrypted by the public key, it can only be  decrypted by the private key from the pair.   In order for the digital signature to work,  the opposite should also be true: if data is   encrypted by the private key, it can only be  decrypted by the public key from that pair.   Now we can actually get to the digital signature.   Lets assume, there is John, who has an electronic  document, which should be digitally signed by Bob.   In order for Bob to be able to sign the document,  he should own a pair of asymmetric encryption keys   and know how to use them to encrypt data. He also  should know how to apply a hash function to data.   In reality these operations are taken care  of by the special software, but to better   understand the process, we will assume Bob just  does all required operations by his own hands.   The process would start with John  sending the unsigned document to Bob.   Bob would apply the hash function to the document  and get the outcome, the document digest.   He would also preserve the original document. Then  Bob would encrypt the document digest with his   private key. The received data would be the actual  digital signature of that document. Bob would add   the digital signature to the original document,  and then send the digitally signed document back   to John. Now John has the document with the  digital signature, and the signature could be   used to reliably prove, that the document was  signed by Bob and not somebody else, and that   Bob signed exactly that document. Lets see how  that signature can be used to prove these things.   Imaging, that John gives that signed  document to somebody else, for example Sara,   and claims that it was signed by Bob. Also  imaging, that Sara may not necessarily trust   John by word, and she would want to validate  the digital signature to make sure, that it   was really Bob, who signed the document, and  that Bob actually signed exactly that document.   That validation would require Sara to have Bob's  public key. Remember, that public key is meant   to be shared with anybody, so Bob should  not have any problems sharing it with Sara.   She also would need to know how to work with hash  functions. Of course, signature validation is also   performed by the special software, and in here we  are just pretending that Sara does it manually,   to better understand how this all works. So,  first, Sara needs to separate the document   and the signature from each other. Second,  she needs to apply the hash function to the   document without signature, similarly how  Bob did, when he was signing the document.   If it's the same document, as Bob signed, she  will get the very same document digest as he did.   On the next step, Sara needs to focus on the  signature. Remember that it is essentially the   document digest, which Bob encrypted with his  private key, when he was signing the document.   Now she should try to decrypt  it with the Bob's public key,   and compare the result with the document  digest, she gotten in the previous step.   If the digests are the same, it means that the  signature was created using Bob's private key,   which means it was Bob, who signed that document.  It also means that it is the same document as   Bob signed, because otherwise hash function would  generate a different digest on the previous step.   Now, lets get a little bit more technical,  and see how that John/Bob/Sara soap opera   can be mapped to the SSL Certificate validation  process during establishing HTTPS connection,   which we discussed in the previous video. If you  think about the roles, John would be the Server,   Bob would be the Trusted Organization,  so-called Certificate Authority, or simply CA,   and Sara would be the Client. Clients usually have  preinstalled public keys of all the organizations   they trust, and in our example it would be  Bob's, or the trusted organization's public key.   The server, before it actually starts serving  any requests, asks a trusted organization to   verify and vouch for it. Trusted organization  verifies the server information, creates the SSL   Certificate with the server's public key and other  information in it, and puts its digital signature.   Finally, when client establishes HTTPS connection  to the server, it verifies the certificate. It   finds out from the Certificate itself, who is the  issuer, and uses preinstalled public key of that   issuer to validate the SSL Certificate and its  digital signature. This way client make sures   that the information in the certificate was not  forged, and that the signature actually belongs   to a trusted organization. That's all I have for  today! As always, I hope that video helped you,   and if so, press "like", "subscribe", and I  am looking forward to seeing you soon again!