Digital Signatures – Basics of Hashes and Encryption

When dealing with online contracting, blockchain, clickwrap agreements, smart contracts, or just generally these days (and certainly in the future), you will come across the terms “hash” and “encryption.” Especially when discussing digital signatures. We’ll try to distill these a bit for you.  These are all regularly used in the transmittal of electronic information and verification of the information, the sender and/or receiver.

ENCRYPTION

Firstly there are two types of encryption: (1) Symetric key and (2) Public key.

With symetric key encryption, the key to both encrypt and decrypt information is the same.  This is more difficult to use at times as you’d have to send the encrypted file and also send or make sure the recipient has the symetric key to decrypt it.

Public key encryption has two different keys, one is used to initially encrypt the string (this is the public key) and one is used to decrypt it (the private key).  The person the file was intended for is the only one with the private key.  Public key cryptography is referred to as “asymetrical cryptography”.  The public keys are known to the public (there is a repository for these online), while the private keys are only known to the individual user. The keys look like long strings of numbers.  The pair of public and private keys are mathematically related, to the point that, whatever is encrypted with a public key can only be unencrypted with a private key and vice versa.

HASHES

 

A “hash” is a publicly known mathematical function that converts text into a long string of numbers (the lentgh of the string is constant but the contents greatly vary).  Each hash itself is an algorithm. Some popular ones are MD5, SHA, SHA-2.  To get a little more technical, hashing is done with a “salt” which is additional input (usually a random value) into the function that hashes the item (adds another layer of difficulty with respect to dictionary attacks or pre-computed rainbow table attacks).  For another level you can add a pepper as well (not stored in the data but increases the number of tries).   Hashing is good for when you want to save something but not have it be readable to third parties, or to compare a version of a file you have with one stored on a database.

Hashing ensures the integrity of the raw data.  A way to view it is that a hash turns raw data into a string of numbers, and for the raw data, if the hash is applied infinitely, it will always give you the same string of numbers.  and multiple different inputs should not give you teh same string you have from the initial raw data.  You cannot go from the output back to the input.  any change to input will drastically change hash.

 

DIFFERENCE BETWEEN HASHES AND ENCRYPTION

Encryption is a process which turns data into a series of unreadable characters, that aren’t a fixed length (unlike a hash).  If you have an encrypted string of characters, and you have the right key, you can convert the string back into its original decrypted configuration (this is not possible with a hash). Hashing is more secure than encryption, but it cannot be used where the recipient needs to be able to decrypt it.

DIGITAL SIGNATURES

 

Digital signatures may appear simple to users, but they require a good deal of computational power to work smoothly.

A digital signature combines encryption with hashes. When done correctly, it can provide users with strong evidence that the file which was sent with a digital signature was not modified.  Here’s an example: There is a file Party A wants to get to Party B.  Party A takes the file, hashes it, and then signs it with Party A’s private key.  Party A then transmits it to Party B.  Party B opens the encrypted message, validate Party A’s signature of the hash with Party A’s public key and then Party B hashes the message themselves to compare it to the hash that was signed.  If it matches, Party B can be sure that its the same file and it was actually sent by Party A. If it doesn’t match then the digital signature fails and Party B receives notice that the initial sender did not send it or if it did, the contents have been tampered with while en route to Party B.

So a person wanting to fake someone else’s digital signature has a hard time doing so because they do not have the person’s private key.  Additionally, another important point to remember is if you send an encrypted message that you digitally sign you cannot deny sending it as your digital signature will verify that yes, it was indeed you that sent it and it can also verify the contents.