What is the point of digital signatures if confidentiality is violated?
$begingroup$
Lets say we use RSA as the signature method.
Alice wants to send a message to Bob and uses RSA signing. For that she signs her message with her private key. But everybody could now have access to her message if one just decrypts the signature with Alice's public key.
What is the point of digital signatures if confidentiality is violated?
rsa signature
edited Jan 25 at 18:55
John Kugelman
1053
asked Jan 25 at 10:44
NimeNime
845
$endgroup$
add a comment |
$begingroup$
Lets say we use RSA as the signature method.
Alice wants to send a message to Bob and uses RSA signing. For that she signs her message with her private key. But everybody could now have access to her message if one just decrypts the signature with Alice's public key.
What is the point of digital signatures if confidentiality is violated?
rsa signature
edited Jan 25 at 18:55
John Kugelman
1053
asked Jan 25 at 10:44
NimeNime
845
$endgroup$
$begingroup$
You use signatures for authenticity. ;)
$endgroup$
– Andrea Lazzarotto
Jan 26 at 10:55
$begingroup$
It may shock you to learn, that even a non-digital signature allows you to read the document that was signed!
$endgroup$
– Jörg W Mittag
Jan 27 at 21:02
add a comment |
$begingroup$
Lets say we use RSA as the signature method.
Alice wants to send a message to Bob and uses RSA signing. For that she signs her message with her private key. But everybody could now have access to her message if one just decrypts the signature with Alice's public key.
What is the point of digital signatures if confidentiality is violated?
rsa signature
edited Jan 25 at 18:55
John Kugelman
1053
asked Jan 25 at 10:44
NimeNime
845
$endgroup$
Lets say we use RSA as the signature method.
Alice wants to send a message to Bob and uses RSA signing. For that she signs her message with her private key. But everybody could now have access to her message if one just decrypts the signature with Alice's public key.
What is the point of digital signatures if confidentiality is violated?
rsa signature
rsa signature
edited Jan 25 at 18:55
John Kugelman
1053
asked Jan 25 at 10:44
NimeNime
845
edited Jan 25 at 18:55
John Kugelman
1053
asked Jan 25 at 10:44
NimeNime
845
edited Jan 25 at 18:55
John Kugelman
1053
edited Jan 25 at 18:55
John Kugelman
1053
edited Jan 25 at 18:55
John Kugelman
1053
1053
asked Jan 25 at 10:44
NimeNime
845
asked Jan 25 at 10:44
NimeNime
845
asked Jan 25 at 10:44
NimeNime
845
845
$begingroup$
You use signatures for authenticity. ;)
$endgroup$
– Andrea Lazzarotto
Jan 26 at 10:55
$begingroup$
It may shock you to learn, that even a non-digital signature allows you to read the document that was signed!
$endgroup$
– Jörg W Mittag
Jan 27 at 21:02
add a comment |
$begingroup$
You use signatures for authenticity. ;)
$endgroup$
– Andrea Lazzarotto
Jan 26 at 10:55
$begingroup$
It may shock you to learn, that even a non-digital signature allows you to read the document that was signed!
$endgroup$
– Jörg W Mittag
Jan 27 at 21:02
$begingroup$
You use signatures for authenticity. ;)
$endgroup$
– Andrea Lazzarotto
Jan 26 at 10:55
$begingroup$
You use signatures for authenticity. ;)
$endgroup$
– Andrea Lazzarotto
Jan 26 at 10:55
$begingroup$
It may shock you to learn, that even a non-digital signature allows you to read the document that was signed!
$endgroup$
– Jörg W Mittag
Jan 27 at 21:02
$begingroup$
It may shock you to learn, that even a non-digital signature allows you to read the document that was signed!
$endgroup$
– Jörg W Mittag
Jan 27 at 21:02
add a comment |
5 Answers
5
active
oldest
votes
$begingroup$
Digital signatures are not designed for confidentiality. The simplest counterexample to the implicit conclusion that there is no point to digital signatures without confidentiality, consider the use of PGP signatures. People may sign a message that they send to a public mailing list, allowing others to verify that they indeed said that and not an imposter pretending to be them.
Also, you seem to be misunderstanding how digital signatures work. It is not encryption that you decrypt to verify. A digital signature is a mathematical operation on a hash of the message. That you verify is valid for the message. You don't recover the message from the signature.
answered Jan 25 at 10:52
forestforest
4,39711641
$endgroup$
7
$begingroup$
@Nime The first sentence in this answer says "Digital signatures are not designed for confidentiality", so "confidentiality would be violated" is non-applicable here, and a digital signature never promised that it would keep your message confidential to begin with. This is one reason why the common falsehood of signatures being "encrypt with the private key and decrypt with the public key" is completely wrong - signatures are completely unrelated to encryption, no matter how similar the operation looks in RSA (such examples ignore crucial details such as padding anyways).
$endgroup$
– Ella Rose♦
Jan 25 at 15:43
4
$begingroup$
@Nime: It's important to recognize that every cryptographic technique solves a very small number of problems very well, and that moreover, those are the only problems they solve well. Cryptographic techniques solve problems like: verifiability, non-repudiation, confidentially, tamper resistance, tamper detection, key management, and so on but no one technique solves all those problems. "Hash and sign with private key" is a technique for solving some of those problems, but "confidentiality" is explicitly NOT one of them. Internalize that fact!
$endgroup$
– Eric Lippert
Jan 25 at 19:33
1
$begingroup$
@Nime: In particular, something that will help you is if you get out of the habit of saying "the security of resource X is based on..." and start saying "the security of resource X against attack Y is based on..." The security of a system can only be evaluated in the context of specific attacks. If you asked "what is the most secure door?" I think it would be reasonable to point out that the door to a nuclear reactor control room and a kindergarten crayon supply room have different likely attacks.
$endgroup$
– Eric Lippert
Jan 25 at 19:36
1
$begingroup$
@supercat The only similarity is that they both involve modular exponentiation. Other than that, they are completely different. The padding is necessarily different (OAEP vs PSS), the source of the exponents are different (public vs private exponent), the way the result is used is different, the performance is different, the security requirements are different, etc. That's like saying SipHash and ChaCha20 are the same thing because they both use the exact same primitives (add, rotate, and xor).
$endgroup$
– forest
Jan 26 at 2:28
1
$begingroup$
@supercat If it doesn't provide confidentiality, then it's not encryption, irrespective of whether or not some of the operations that it's using happen to be similar to those used in an encryption scheme. You wouldn't describe encryption as "signing with your public key" because it's clearly absurd, but by your argument it's a reasonable statement to make.
$endgroup$
– Ella Rose♦
Jan 26 at 15:33
|
show 5 more comments
$begingroup$
Consider the paper-based analogy:
[Alice] signs her message m with [her] private key.
Similarly, Alice signs a document on paper with her signature.
everybody could now have access to her message if one just [verifies] the signature with Alice's public key.
And everyone who has access to the document, can verify that Alice has signed the document.
In practice, they'll need some way to know what Alice's signature looks like (or what their public key is), and not everyone can do that, just those who get a copy of the document.
The bottom line is that signatures provide only authentication, not privacy. Privacy has to be handled separately, with encryption, or with trusted couriers and safes or such.
answered Jan 25 at 16:57
ilkkachuilkkachu
674310
$endgroup$
add a comment |
$begingroup$
You don't encrypt the message with your private key.
The point of digital signatures is for verifying the authenticity of the message.
Simplified: You create a hash of the message $H(m)$ and then sign the hash $S(H(m))$. This is then appended to the message and finally both are sent to the receiver.
The message is usually still encrypted with the receiver's public key, so that only the receiver can decrypt the message with his private key.
answered Jan 25 at 10:55
AleksanderRasAleksanderRas
2,6671834
$endgroup$
add a comment |
$begingroup$
As other users have correctly stated, signing is to ensure message integrity, not confidentiality.
Note that it is possible to encrypt a message first, then sign it.
This will protect the confidentiality of the message, and even if it is compromised, you will still be able to protect against 'man in the middle' attacks by verifying the signature.
answered Jan 25 at 16:03
user3256944user3256944
1112
$endgroup$
add a comment |
$begingroup$
To provide some additional context for the information provided in the other answers.
It is true that RSA is used to encrypt / decrypt information
However:
In almost all real-world cases RSA is not used to encrypt a large message being exchanged but rather just used to encrypt the hash of the message (this is signing / creating a signature for the message)
As other answers point out, this makes it possible for the receiver to know with certainty that the message has not been tampered with by some intermediary.
The steps are (a bit simplified for illustration purposes):
- Alice creates message for Bob
- Alice creates a hash for the message
- Alice encrypts the hash value using her private key - this 'encrypted hash value' is the signature for the message
- Alice sends the message, in clear text, plus the signature (encrypted hash value) to Bob
- Bob creates a hash for the message (using the same hash algorithm as Alice used in step 2)
- Bob decrypts the encrypted hash value provided by Alice, using Alice's public key
- Bob compares his hash value for the message (from step 5) with the decrypted hash value (from step 6)
If the two hash values compared in step 7 are the same, Bob knows with certainty that the signature was created by Alice (since only she has access to her private key) and that the message he received was exactly how Alice authored it, i.e. no one has made changes to the message.
On the topic of confidentiality, encrypting the message itself is almost always done using an encryption algorithm other than RSA (since RSA is slow and optimized for encrypting small information sets). This can be accomplished many different ways but one option is to add to the steps:
- Alice creates message for Bob
- Alice encrypts the message using a symmetric key encryption algorithm using key of her choosing that only she knows
- Alice encrypts the symmetric key using Bob's public key and adds it to the end of the message
- Alice creates a hash for the message
- Alice encrypts the hash value using her private key - this 'encrypted hash value' is the signature for the message
- Alice sends the encrypted message, plus the signature (encrypted hash value) to Bob
- Bob creates a hash for the message (using the same hash algorithm as Alice used in step 4)
- Bob decrypts the encrypted hash value provided by Alice, using Alice's public key
- Bob compares his hash value for the message (from step 7) with the decrypted hash value (from step 8)
- If the hashes match, Bob takes the encrypted symmetric key value from the end of the message and decrypts it using his secret key
- Bob decrypts the encrypted message using the same symmetric encryption algorithm Alice used in step 2, using the symmetric key value from step 10
With these steps Bob knows Alice authored the message and only he is able to decrypt it since the symmetric key used to encrypt the message was encrypted using his public key. I.e. only Bob is able to get the symmetric key value since only he has access to his private key.
answered Jan 25 at 16:53
user469104user469104
105
$endgroup$
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66760%2fwhat-is-the-point-of-digital-signatures-if-confidentiality-is-violated%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
Digital signatures are not designed for confidentiality. The simplest counterexample to the implicit conclusion that there is no point to digital signatures without confidentiality, consider the use of PGP signatures. People may sign a message that they send to a public mailing list, allowing others to verify that they indeed said that and not an imposter pretending to be them.
Also, you seem to be misunderstanding how digital signatures work. It is not encryption that you decrypt to verify. A digital signature is a mathematical operation on a hash of the message. That you verify is valid for the message. You don't recover the message from the signature.
answered Jan 25 at 10:52
forestforest
4,39711641
$endgroup$
7
$begingroup$
@Nime The first sentence in this answer says "Digital signatures are not designed for confidentiality", so "confidentiality would be violated" is non-applicable here, and a digital signature never promised that it would keep your message confidential to begin with. This is one reason why the common falsehood of signatures being "encrypt with the private key and decrypt with the public key" is completely wrong - signatures are completely unrelated to encryption, no matter how similar the operation looks in RSA (such examples ignore crucial details such as padding anyways).
$endgroup$
– Ella Rose♦
Jan 25 at 15:43
4
$begingroup$
@Nime: It's important to recognize that every cryptographic technique solves a very small number of problems very well, and that moreover, those are the only problems they solve well. Cryptographic techniques solve problems like: verifiability, non-repudiation, confidentially, tamper resistance, tamper detection, key management, and so on but no one technique solves all those problems. "Hash and sign with private key" is a technique for solving some of those problems, but "confidentiality" is explicitly NOT one of them. Internalize that fact!
$endgroup$
– Eric Lippert
Jan 25 at 19:33
1
$begingroup$
@Nime: In particular, something that will help you is if you get out of the habit of saying "the security of resource X is based on..." and start saying "the security of resource X against attack Y is based on..." The security of a system can only be evaluated in the context of specific attacks. If you asked "what is the most secure door?" I think it would be reasonable to point out that the door to a nuclear reactor control room and a kindergarten crayon supply room have different likely attacks.
$endgroup$
– Eric Lippert
Jan 25 at 19:36
1
$begingroup$
@supercat The only similarity is that they both involve modular exponentiation. Other than that, they are completely different. The padding is necessarily different (OAEP vs PSS), the source of the exponents are different (public vs private exponent), the way the result is used is different, the performance is different, the security requirements are different, etc. That's like saying SipHash and ChaCha20 are the same thing because they both use the exact same primitives (add, rotate, and xor).
$endgroup$
– forest
Jan 26 at 2:28
1
$begingroup$
@supercat If it doesn't provide confidentiality, then it's not encryption, irrespective of whether or not some of the operations that it's using happen to be similar to those used in an encryption scheme. You wouldn't describe encryption as "signing with your public key" because it's clearly absurd, but by your argument it's a reasonable statement to make.
$endgroup$
– Ella Rose♦
Jan 26 at 15:33
|
show 5 more comments
$begingroup$
Digital signatures are not designed for confidentiality. The simplest counterexample to the implicit conclusion that there is no point to digital signatures without confidentiality, consider the use of PGP signatures. People may sign a message that they send to a public mailing list, allowing others to verify that they indeed said that and not an imposter pretending to be them.
Also, you seem to be misunderstanding how digital signatures work. It is not encryption that you decrypt to verify. A digital signature is a mathematical operation on a hash of the message. That you verify is valid for the message. You don't recover the message from the signature.
answered Jan 25 at 10:52
forestforest
4,39711641
$endgroup$
7
$begingroup$
@Nime The first sentence in this answer says "Digital signatures are not designed for confidentiality", so "confidentiality would be violated" is non-applicable here, and a digital signature never promised that it would keep your message confidential to begin with. This is one reason why the common falsehood of signatures being "encrypt with the private key and decrypt with the public key" is completely wrong - signatures are completely unrelated to encryption, no matter how similar the operation looks in RSA (such examples ignore crucial details such as padding anyways).
$endgroup$
– Ella Rose♦
Jan 25 at 15:43
4
$begingroup$
@Nime: It's important to recognize that every cryptographic technique solves a very small number of problems very well, and that moreover, those are the only problems they solve well. Cryptographic techniques solve problems like: verifiability, non-repudiation, confidentially, tamper resistance, tamper detection, key management, and so on but no one technique solves all those problems. "Hash and sign with private key" is a technique for solving some of those problems, but "confidentiality" is explicitly NOT one of them. Internalize that fact!
$endgroup$
– Eric Lippert
Jan 25 at 19:33
1
$begingroup$
@Nime: In particular, something that will help you is if you get out of the habit of saying "the security of resource X is based on..." and start saying "the security of resource X against attack Y is based on..." The security of a system can only be evaluated in the context of specific attacks. If you asked "what is the most secure door?" I think it would be reasonable to point out that the door to a nuclear reactor control room and a kindergarten crayon supply room have different likely attacks.
$endgroup$
– Eric Lippert
Jan 25 at 19:36
1
$begingroup$
@supercat The only similarity is that they both involve modular exponentiation. Other than that, they are completely different. The padding is necessarily different (OAEP vs PSS), the source of the exponents are different (public vs private exponent), the way the result is used is different, the performance is different, the security requirements are different, etc. That's like saying SipHash and ChaCha20 are the same thing because they both use the exact same primitives (add, rotate, and xor).
$endgroup$
– forest
Jan 26 at 2:28
1
$begingroup$
@supercat If it doesn't provide confidentiality, then it's not encryption, irrespective of whether or not some of the operations that it's using happen to be similar to those used in an encryption scheme. You wouldn't describe encryption as "signing with your public key" because it's clearly absurd, but by your argument it's a reasonable statement to make.
$endgroup$
– Ella Rose♦
Jan 26 at 15:33
|
show 5 more comments
$begingroup$
Digital signatures are not designed for confidentiality. The simplest counterexample to the implicit conclusion that there is no point to digital signatures without confidentiality, consider the use of PGP signatures. People may sign a message that they send to a public mailing list, allowing others to verify that they indeed said that and not an imposter pretending to be them.
Also, you seem to be misunderstanding how digital signatures work. It is not encryption that you decrypt to verify. A digital signature is a mathematical operation on a hash of the message. That you verify is valid for the message. You don't recover the message from the signature.
answered Jan 25 at 10:52
forestforest
4,39711641
$endgroup$
Digital signatures are not designed for confidentiality. The simplest counterexample to the implicit conclusion that there is no point to digital signatures without confidentiality, consider the use of PGP signatures. People may sign a message that they send to a public mailing list, allowing others to verify that they indeed said that and not an imposter pretending to be them.
Also, you seem to be misunderstanding how digital signatures work. It is not encryption that you decrypt to verify. A digital signature is a mathematical operation on a hash of the message. That you verify is valid for the message. You don't recover the message from the signature.
answered Jan 25 at 10:52
forestforest
4,39711641
answered Jan 25 at 10:52
forestforest
4,39711641
answered Jan 25 at 10:52
forestforest
4,39711641
answered Jan 25 at 10:52
forestforest
4,39711641
4,39711641
7
$begingroup$
@Nime The first sentence in this answer says "Digital signatures are not designed for confidentiality", so "confidentiality would be violated" is non-applicable here, and a digital signature never promised that it would keep your message confidential to begin with. This is one reason why the common falsehood of signatures being "encrypt with the private key and decrypt with the public key" is completely wrong - signatures are completely unrelated to encryption, no matter how similar the operation looks in RSA (such examples ignore crucial details such as padding anyways).
$endgroup$
– Ella Rose♦
Jan 25 at 15:43
4
$begingroup$
@Nime: It's important to recognize that every cryptographic technique solves a very small number of problems very well, and that moreover, those are the only problems they solve well. Cryptographic techniques solve problems like: verifiability, non-repudiation, confidentially, tamper resistance, tamper detection, key management, and so on but no one technique solves all those problems. "Hash and sign with private key" is a technique for solving some of those problems, but "confidentiality" is explicitly NOT one of them. Internalize that fact!
$endgroup$
– Eric Lippert
Jan 25 at 19:33
1
$begingroup$
@Nime: In particular, something that will help you is if you get out of the habit of saying "the security of resource X is based on..." and start saying "the security of resource X against attack Y is based on..." The security of a system can only be evaluated in the context of specific attacks. If you asked "what is the most secure door?" I think it would be reasonable to point out that the door to a nuclear reactor control room and a kindergarten crayon supply room have different likely attacks.
$endgroup$
– Eric Lippert
Jan 25 at 19:36
1
$begingroup$
@supercat The only similarity is that they both involve modular exponentiation. Other than that, they are completely different. The padding is necessarily different (OAEP vs PSS), the source of the exponents are different (public vs private exponent), the way the result is used is different, the performance is different, the security requirements are different, etc. That's like saying SipHash and ChaCha20 are the same thing because they both use the exact same primitives (add, rotate, and xor).
$endgroup$
– forest
Jan 26 at 2:28
1
$begingroup$
@supercat If it doesn't provide confidentiality, then it's not encryption, irrespective of whether or not some of the operations that it's using happen to be similar to those used in an encryption scheme. You wouldn't describe encryption as "signing with your public key" because it's clearly absurd, but by your argument it's a reasonable statement to make.
$endgroup$
– Ella Rose♦
Jan 26 at 15:33
|
show 5 more comments
7
$begingroup$
@Nime The first sentence in this answer says "Digital signatures are not designed for confidentiality", so "confidentiality would be violated" is non-applicable here, and a digital signature never promised that it would keep your message confidential to begin with. This is one reason why the common falsehood of signatures being "encrypt with the private key and decrypt with the public key" is completely wrong - signatures are completely unrelated to encryption, no matter how similar the operation looks in RSA (such examples ignore crucial details such as padding anyways).
$endgroup$
– Ella Rose♦
Jan 25 at 15:43
4
$begingroup$
@Nime: It's important to recognize that every cryptographic technique solves a very small number of problems very well, and that moreover, those are the only problems they solve well. Cryptographic techniques solve problems like: verifiability, non-repudiation, confidentially, tamper resistance, tamper detection, key management, and so on but no one technique solves all those problems. "Hash and sign with private key" is a technique for solving some of those problems, but "confidentiality" is explicitly NOT one of them. Internalize that fact!
$endgroup$
– Eric Lippert
Jan 25 at 19:33
1
$begingroup$
@Nime: In particular, something that will help you is if you get out of the habit of saying "the security of resource X is based on..." and start saying "the security of resource X against attack Y is based on..." The security of a system can only be evaluated in the context of specific attacks. If you asked "what is the most secure door?" I think it would be reasonable to point out that the door to a nuclear reactor control room and a kindergarten crayon supply room have different likely attacks.
$endgroup$
– Eric Lippert
Jan 25 at 19:36
1
$begingroup$
@supercat The only similarity is that they both involve modular exponentiation. Other than that, they are completely different. The padding is necessarily different (OAEP vs PSS), the source of the exponents are different (public vs private exponent), the way the result is used is different, the performance is different, the security requirements are different, etc. That's like saying SipHash and ChaCha20 are the same thing because they both use the exact same primitives (add, rotate, and xor).
$endgroup$
– forest
Jan 26 at 2:28
1
$begingroup$
@supercat If it doesn't provide confidentiality, then it's not encryption, irrespective of whether or not some of the operations that it's using happen to be similar to those used in an encryption scheme. You wouldn't describe encryption as "signing with your public key" because it's clearly absurd, but by your argument it's a reasonable statement to make.
$endgroup$
– Ella Rose♦
Jan 26 at 15:33
7
7
$begingroup$
@Nime The first sentence in this answer says "Digital signatures are not designed for confidentiality", so "confidentiality would be violated" is non-applicable here, and a digital signature never promised that it would keep your message confidential to begin with. This is one reason why the common falsehood of signatures being "encrypt with the private key and decrypt with the public key" is completely wrong - signatures are completely unrelated to encryption, no matter how similar the operation looks in RSA (such examples ignore crucial details such as padding anyways).
$endgroup$
– Ella Rose♦
Jan 25 at 15:43
$begingroup$
@Nime The first sentence in this answer says "Digital signatures are not designed for confidentiality", so "confidentiality would be violated" is non-applicable here, and a digital signature never promised that it would keep your message confidential to begin with. This is one reason why the common falsehood of signatures being "encrypt with the private key and decrypt with the public key" is completely wrong - signatures are completely unrelated to encryption, no matter how similar the operation looks in RSA (such examples ignore crucial details such as padding anyways).
$endgroup$
– Ella Rose♦
Jan 25 at 15:43
4
4
$begingroup$
@Nime: It's important to recognize that every cryptographic technique solves a very small number of problems very well, and that moreover, those are the only problems they solve well. Cryptographic techniques solve problems like: verifiability, non-repudiation, confidentially, tamper resistance, tamper detection, key management, and so on but no one technique solves all those problems. "Hash and sign with private key" is a technique for solving some of those problems, but "confidentiality" is explicitly NOT one of them. Internalize that fact!
$endgroup$
– Eric Lippert
Jan 25 at 19:33
$begingroup$
@Nime: It's important to recognize that every cryptographic technique solves a very small number of problems very well, and that moreover, those are the only problems they solve well. Cryptographic techniques solve problems like: verifiability, non-repudiation, confidentially, tamper resistance, tamper detection, key management, and so on but no one technique solves all those problems. "Hash and sign with private key" is a technique for solving some of those problems, but "confidentiality" is explicitly NOT one of them. Internalize that fact!
$endgroup$
– Eric Lippert
Jan 25 at 19:33
1
1
$begingroup$
@Nime: In particular, something that will help you is if you get out of the habit of saying "the security of resource X is based on..." and start saying "the security of resource X against attack Y is based on..." The security of a system can only be evaluated in the context of specific attacks. If you asked "what is the most secure door?" I think it would be reasonable to point out that the door to a nuclear reactor control room and a kindergarten crayon supply room have different likely attacks.
$endgroup$
– Eric Lippert
Jan 25 at 19:36
$begingroup$
@Nime: In particular, something that will help you is if you get out of the habit of saying "the security of resource X is based on..." and start saying "the security of resource X against attack Y is based on..." The security of a system can only be evaluated in the context of specific attacks. If you asked "what is the most secure door?" I think it would be reasonable to point out that the door to a nuclear reactor control room and a kindergarten crayon supply room have different likely attacks.
$endgroup$
– Eric Lippert
Jan 25 at 19:36
1
1
$begingroup$
@supercat The only similarity is that they both involve modular exponentiation. Other than that, they are completely different. The padding is necessarily different (OAEP vs PSS), the source of the exponents are different (public vs private exponent), the way the result is used is different, the performance is different, the security requirements are different, etc. That's like saying SipHash and ChaCha20 are the same thing because they both use the exact same primitives (add, rotate, and xor).
$endgroup$
– forest
Jan 26 at 2:28
$begingroup$
@supercat The only similarity is that they both involve modular exponentiation. Other than that, they are completely different. The padding is necessarily different (OAEP vs PSS), the source of the exponents are different (public vs private exponent), the way the result is used is different, the performance is different, the security requirements are different, etc. That's like saying SipHash and ChaCha20 are the same thing because they both use the exact same primitives (add, rotate, and xor).
$endgroup$
– forest
Jan 26 at 2:28
1
1
$begingroup$
@supercat If it doesn't provide confidentiality, then it's not encryption, irrespective of whether or not some of the operations that it's using happen to be similar to those used in an encryption scheme. You wouldn't describe encryption as "signing with your public key" because it's clearly absurd, but by your argument it's a reasonable statement to make.
$endgroup$
– Ella Rose♦
Jan 26 at 15:33
$begingroup$
@supercat If it doesn't provide confidentiality, then it's not encryption, irrespective of whether or not some of the operations that it's using happen to be similar to those used in an encryption scheme. You wouldn't describe encryption as "signing with your public key" because it's clearly absurd, but by your argument it's a reasonable statement to make.
$endgroup$
– Ella Rose♦
Jan 26 at 15:33
|
show 5 more comments
$begingroup$
Consider the paper-based analogy:
[Alice] signs her message m with [her] private key.
Similarly, Alice signs a document on paper with her signature.
everybody could now have access to her message if one just [verifies] the signature with Alice's public key.
And everyone who has access to the document, can verify that Alice has signed the document.
In practice, they'll need some way to know what Alice's signature looks like (or what their public key is), and not everyone can do that, just those who get a copy of the document.
The bottom line is that signatures provide only authentication, not privacy. Privacy has to be handled separately, with encryption, or with trusted couriers and safes or such.
answered Jan 25 at 16:57
ilkkachuilkkachu
674310
$endgroup$
add a comment |
$begingroup$
Consider the paper-based analogy:
[Alice] signs her message m with [her] private key.
Similarly, Alice signs a document on paper with her signature.
everybody could now have access to her message if one just [verifies] the signature with Alice's public key.
And everyone who has access to the document, can verify that Alice has signed the document.
In practice, they'll need some way to know what Alice's signature looks like (or what their public key is), and not everyone can do that, just those who get a copy of the document.
The bottom line is that signatures provide only authentication, not privacy. Privacy has to be handled separately, with encryption, or with trusted couriers and safes or such.
answered Jan 25 at 16:57
ilkkachuilkkachu
674310
$endgroup$
add a comment |
$begingroup$
Consider the paper-based analogy:
[Alice] signs her message m with [her] private key.
Similarly, Alice signs a document on paper with her signature.
everybody could now have access to her message if one just [verifies] the signature with Alice's public key.
And everyone who has access to the document, can verify that Alice has signed the document.
In practice, they'll need some way to know what Alice's signature looks like (or what their public key is), and not everyone can do that, just those who get a copy of the document.
The bottom line is that signatures provide only authentication, not privacy. Privacy has to be handled separately, with encryption, or with trusted couriers and safes or such.
answered Jan 25 at 16:57
ilkkachuilkkachu
674310
$endgroup$
Consider the paper-based analogy:
[Alice] signs her message m with [her] private key.
Similarly, Alice signs a document on paper with her signature.
everybody could now have access to her message if one just [verifies] the signature with Alice's public key.
And everyone who has access to the document, can verify that Alice has signed the document.
In practice, they'll need some way to know what Alice's signature looks like (or what their public key is), and not everyone can do that, just those who get a copy of the document.
The bottom line is that signatures provide only authentication, not privacy. Privacy has to be handled separately, with encryption, or with trusted couriers and safes or such.
answered Jan 25 at 16:57
ilkkachuilkkachu
674310
answered Jan 25 at 16:57
ilkkachuilkkachu
674310
answered Jan 25 at 16:57
ilkkachuilkkachu
674310
answered Jan 25 at 16:57
ilkkachuilkkachu
674310
674310
add a comment |
add a comment |
$begingroup$
You don't encrypt the message with your private key.
The point of digital signatures is for verifying the authenticity of the message.
Simplified: You create a hash of the message $H(m)$ and then sign the hash $S(H(m))$. This is then appended to the message and finally both are sent to the receiver.
The message is usually still encrypted with the receiver's public key, so that only the receiver can decrypt the message with his private key.
answered Jan 25 at 10:55
AleksanderRasAleksanderRas
2,6671834
$endgroup$
add a comment |
$begingroup$
You don't encrypt the message with your private key.
The point of digital signatures is for verifying the authenticity of the message.
Simplified: You create a hash of the message $H(m)$ and then sign the hash $S(H(m))$. This is then appended to the message and finally both are sent to the receiver.
The message is usually still encrypted with the receiver's public key, so that only the receiver can decrypt the message with his private key.
answered Jan 25 at 10:55
AleksanderRasAleksanderRas
2,6671834
$endgroup$
add a comment |
$begingroup$
You don't encrypt the message with your private key.
The point of digital signatures is for verifying the authenticity of the message.
Simplified: You create a hash of the message $H(m)$ and then sign the hash $S(H(m))$. This is then appended to the message and finally both are sent to the receiver.
The message is usually still encrypted with the receiver's public key, so that only the receiver can decrypt the message with his private key.
answered Jan 25 at 10:55
AleksanderRasAleksanderRas
2,6671834
$endgroup$
You don't encrypt the message with your private key.
The point of digital signatures is for verifying the authenticity of the message.
Simplified: You create a hash of the message $H(m)$ and then sign the hash $S(H(m))$. This is then appended to the message and finally both are sent to the receiver.
The message is usually still encrypted with the receiver's public key, so that only the receiver can decrypt the message with his private key.
answered Jan 25 at 10:55
AleksanderRasAleksanderRas
2,6671834
edited Jan 25 at 12:00
answered Jan 25 at 10:55
AleksanderRasAleksanderRas
2,6671834
answered Jan 25 at 10:55
AleksanderRasAleksanderRas
2,6671834
answered Jan 25 at 10:55
AleksanderRasAleksanderRas
2,6671834
2,6671834
add a comment |
add a comment |
$begingroup$
As other users have correctly stated, signing is to ensure message integrity, not confidentiality.
Note that it is possible to encrypt a message first, then sign it.
This will protect the confidentiality of the message, and even if it is compromised, you will still be able to protect against 'man in the middle' attacks by verifying the signature.
answered Jan 25 at 16:03
user3256944user3256944
1112
$endgroup$
add a comment |
$begingroup$
As other users have correctly stated, signing is to ensure message integrity, not confidentiality.
Note that it is possible to encrypt a message first, then sign it.
This will protect the confidentiality of the message, and even if it is compromised, you will still be able to protect against 'man in the middle' attacks by verifying the signature.
answered Jan 25 at 16:03
user3256944user3256944
1112
$endgroup$
add a comment |
$begingroup$
As other users have correctly stated, signing is to ensure message integrity, not confidentiality.
Note that it is possible to encrypt a message first, then sign it.
This will protect the confidentiality of the message, and even if it is compromised, you will still be able to protect against 'man in the middle' attacks by verifying the signature.
answered Jan 25 at 16:03
user3256944user3256944
1112
$endgroup$
As other users have correctly stated, signing is to ensure message integrity, not confidentiality.
Note that it is possible to encrypt a message first, then sign it.
This will protect the confidentiality of the message, and even if it is compromised, you will still be able to protect against 'man in the middle' attacks by verifying the signature.
answered Jan 25 at 16:03
user3256944user3256944
1112
answered Jan 25 at 16:03
user3256944user3256944
1112
answered Jan 25 at 16:03
user3256944user3256944
1112
answered Jan 25 at 16:03
user3256944user3256944
1112
1112
add a comment |
add a comment |
$begingroup$
To provide some additional context for the information provided in the other answers.
It is true that RSA is used to encrypt / decrypt information
However:
In almost all real-world cases RSA is not used to encrypt a large message being exchanged but rather just used to encrypt the hash of the message (this is signing / creating a signature for the message)
As other answers point out, this makes it possible for the receiver to know with certainty that the message has not been tampered with by some intermediary.
The steps are (a bit simplified for illustration purposes):
- Alice creates message for Bob
- Alice creates a hash for the message
- Alice encrypts the hash value using her private key - this 'encrypted hash value' is the signature for the message
- Alice sends the message, in clear text, plus the signature (encrypted hash value) to Bob
- Bob creates a hash for the message (using the same hash algorithm as Alice used in step 2)
- Bob decrypts the encrypted hash value provided by Alice, using Alice's public key
- Bob compares his hash value for the message (from step 5) with the decrypted hash value (from step 6)
If the two hash values compared in step 7 are the same, Bob knows with certainty that the signature was created by Alice (since only she has access to her private key) and that the message he received was exactly how Alice authored it, i.e. no one has made changes to the message.
On the topic of confidentiality, encrypting the message itself is almost always done using an encryption algorithm other than RSA (since RSA is slow and optimized for encrypting small information sets). This can be accomplished many different ways but one option is to add to the steps:
- Alice creates message for Bob
- Alice encrypts the message using a symmetric key encryption algorithm using key of her choosing that only she knows
- Alice encrypts the symmetric key using Bob's public key and adds it to the end of the message
- Alice creates a hash for the message
- Alice encrypts the hash value using her private key - this 'encrypted hash value' is the signature for the message
- Alice sends the encrypted message, plus the signature (encrypted hash value) to Bob
- Bob creates a hash for the message (using the same hash algorithm as Alice used in step 4)
- Bob decrypts the encrypted hash value provided by Alice, using Alice's public key
- Bob compares his hash value for the message (from step 7) with the decrypted hash value (from step 8)
- If the hashes match, Bob takes the encrypted symmetric key value from the end of the message and decrypts it using his secret key
- Bob decrypts the encrypted message using the same symmetric encryption algorithm Alice used in step 2, using the symmetric key value from step 10
With these steps Bob knows Alice authored the message and only he is able to decrypt it since the symmetric key used to encrypt the message was encrypted using his public key. I.e. only Bob is able to get the symmetric key value since only he has access to his private key.
answered Jan 25 at 16:53
user469104user469104
105
$endgroup$
add a comment |
$begingroup$
To provide some additional context for the information provided in the other answers.
It is true that RSA is used to encrypt / decrypt information
However:
In almost all real-world cases RSA is not used to encrypt a large message being exchanged but rather just used to encrypt the hash of the message (this is signing / creating a signature for the message)
As other answers point out, this makes it possible for the receiver to know with certainty that the message has not been tampered with by some intermediary.
The steps are (a bit simplified for illustration purposes):
- Alice creates message for Bob
- Alice creates a hash for the message
- Alice encrypts the hash value using her private key - this 'encrypted hash value' is the signature for the message
- Alice sends the message, in clear text, plus the signature (encrypted hash value) to Bob
- Bob creates a hash for the message (using the same hash algorithm as Alice used in step 2)
- Bob decrypts the encrypted hash value provided by Alice, using Alice's public key
- Bob compares his hash value for the message (from step 5) with the decrypted hash value (from step 6)
If the two hash values compared in step 7 are the same, Bob knows with certainty that the signature was created by Alice (since only she has access to her private key) and that the message he received was exactly how Alice authored it, i.e. no one has made changes to the message.
On the topic of confidentiality, encrypting the message itself is almost always done using an encryption algorithm other than RSA (since RSA is slow and optimized for encrypting small information sets). This can be accomplished many different ways but one option is to add to the steps:
- Alice creates message for Bob
- Alice encrypts the message using a symmetric key encryption algorithm using key of her choosing that only she knows
- Alice encrypts the symmetric key using Bob's public key and adds it to the end of the message
- Alice creates a hash for the message
- Alice encrypts the hash value using her private key - this 'encrypted hash value' is the signature for the message
- Alice sends the encrypted message, plus the signature (encrypted hash value) to Bob
- Bob creates a hash for the message (using the same hash algorithm as Alice used in step 4)
- Bob decrypts the encrypted hash value provided by Alice, using Alice's public key
- Bob compares his hash value for the message (from step 7) with the decrypted hash value (from step 8)
- If the hashes match, Bob takes the encrypted symmetric key value from the end of the message and decrypts it using his secret key
- Bob decrypts the encrypted message using the same symmetric encryption algorithm Alice used in step 2, using the symmetric key value from step 10
With these steps Bob knows Alice authored the message and only he is able to decrypt it since the symmetric key used to encrypt the message was encrypted using his public key. I.e. only Bob is able to get the symmetric key value since only he has access to his private key.
answered Jan 25 at 16:53
user469104user469104
105
$endgroup$
add a comment |
$begingroup$
To provide some additional context for the information provided in the other answers.
It is true that RSA is used to encrypt / decrypt information
However:
In almost all real-world cases RSA is not used to encrypt a large message being exchanged but rather just used to encrypt the hash of the message (this is signing / creating a signature for the message)
As other answers point out, this makes it possible for the receiver to know with certainty that the message has not been tampered with by some intermediary.
The steps are (a bit simplified for illustration purposes):
- Alice creates message for Bob
- Alice creates a hash for the message
- Alice encrypts the hash value using her private key - this 'encrypted hash value' is the signature for the message
- Alice sends the message, in clear text, plus the signature (encrypted hash value) to Bob
- Bob creates a hash for the message (using the same hash algorithm as Alice used in step 2)
- Bob decrypts the encrypted hash value provided by Alice, using Alice's public key
- Bob compares his hash value for the message (from step 5) with the decrypted hash value (from step 6)
If the two hash values compared in step 7 are the same, Bob knows with certainty that the signature was created by Alice (since only she has access to her private key) and that the message he received was exactly how Alice authored it, i.e. no one has made changes to the message.
On the topic of confidentiality, encrypting the message itself is almost always done using an encryption algorithm other than RSA (since RSA is slow and optimized for encrypting small information sets). This can be accomplished many different ways but one option is to add to the steps:
- Alice creates message for Bob
- Alice encrypts the message using a symmetric key encryption algorithm using key of her choosing that only she knows
- Alice encrypts the symmetric key using Bob's public key and adds it to the end of the message
- Alice creates a hash for the message
- Alice encrypts the hash value using her private key - this 'encrypted hash value' is the signature for the message
- Alice sends the encrypted message, plus the signature (encrypted hash value) to Bob
- Bob creates a hash for the message (using the same hash algorithm as Alice used in step 4)
- Bob decrypts the encrypted hash value provided by Alice, using Alice's public key
- Bob compares his hash value for the message (from step 7) with the decrypted hash value (from step 8)
- If the hashes match, Bob takes the encrypted symmetric key value from the end of the message and decrypts it using his secret key
- Bob decrypts the encrypted message using the same symmetric encryption algorithm Alice used in step 2, using the symmetric key value from step 10
With these steps Bob knows Alice authored the message and only he is able to decrypt it since the symmetric key used to encrypt the message was encrypted using his public key. I.e. only Bob is able to get the symmetric key value since only he has access to his private key.
answered Jan 25 at 16:53
user469104user469104
105
$endgroup$
To provide some additional context for the information provided in the other answers.
It is true that RSA is used to encrypt / decrypt information
However:
In almost all real-world cases RSA is not used to encrypt a large message being exchanged but rather just used to encrypt the hash of the message (this is signing / creating a signature for the message)
As other answers point out, this makes it possible for the receiver to know with certainty that the message has not been tampered with by some intermediary.
The steps are (a bit simplified for illustration purposes):
- Alice creates message for Bob
- Alice creates a hash for the message
- Alice encrypts the hash value using her private key - this 'encrypted hash value' is the signature for the message
- Alice sends the message, in clear text, plus the signature (encrypted hash value) to Bob
- Bob creates a hash for the message (using the same hash algorithm as Alice used in step 2)
- Bob decrypts the encrypted hash value provided by Alice, using Alice's public key
- Bob compares his hash value for the message (from step 5) with the decrypted hash value (from step 6)
If the two hash values compared in step 7 are the same, Bob knows with certainty that the signature was created by Alice (since only she has access to her private key) and that the message he received was exactly how Alice authored it, i.e. no one has made changes to the message.
On the topic of confidentiality, encrypting the message itself is almost always done using an encryption algorithm other than RSA (since RSA is slow and optimized for encrypting small information sets). This can be accomplished many different ways but one option is to add to the steps:
- Alice creates message for Bob
- Alice encrypts the message using a symmetric key encryption algorithm using key of her choosing that only she knows
- Alice encrypts the symmetric key using Bob's public key and adds it to the end of the message
- Alice creates a hash for the message
- Alice encrypts the hash value using her private key - this 'encrypted hash value' is the signature for the message
- Alice sends the encrypted message, plus the signature (encrypted hash value) to Bob
- Bob creates a hash for the message (using the same hash algorithm as Alice used in step 4)
- Bob decrypts the encrypted hash value provided by Alice, using Alice's public key
- Bob compares his hash value for the message (from step 7) with the decrypted hash value (from step 8)
- If the hashes match, Bob takes the encrypted symmetric key value from the end of the message and decrypts it using his secret key
- Bob decrypts the encrypted message using the same symmetric encryption algorithm Alice used in step 2, using the symmetric key value from step 10
With these steps Bob knows Alice authored the message and only he is able to decrypt it since the symmetric key used to encrypt the message was encrypted using his public key. I.e. only Bob is able to get the symmetric key value since only he has access to his private key.
answered Jan 25 at 16:53
user469104user469104
105
answered Jan 25 at 16:53
user469104user469104
105
answered Jan 25 at 16:53
user469104user469104
105
answered Jan 25 at 16:53
user469104user469104
105
105
add a comment |
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66760%2fwhat-is-the-point-of-digital-signatures-if-confidentiality-is-violated%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
$begingroup$
You use signatures for authenticity. ;)
$endgroup$
– Andrea Lazzarotto
Jan 26 at 10:55
$begingroup$
It may shock you to learn, that even a non-digital signature allows you to read the document that was signed!
$endgroup$
– Jörg W Mittag
Jan 27 at 21:02