Digital Signatures with Asymmetric Encryption

TL;DR

This guide shows you how to create and verify digital signatures using asymmetric encryption (public/private key pairs). This proves a message’s origin and that it hasn’t been tampered with.

What You Need

• A computer
• OpenSSL installed. Most Linux distributions have this by default. For Windows, you can download it from the OpenSSL website.

Step 1: Generate a Key Pair

First, we need to create a public and private key pair for the sender (you). The private key is kept secret, and the public key can be shared.

openssl genrsa -out private.pem 2048

This creates a 2048-bit RSA private key named private.pem. Don’t share this file!

openssl rsa -in private.pem -pubout -out public.pem

This extracts the public key from your private key and saves it as public.pem.

Step 2: Create a Digital Signature

Now, let’s sign a message. We’ll use OpenSSL to do this.

a) Create the Message File

Create a text file named message.txt containing the message you want to sign. For example:

echo "This is my important message." > message.txt

b) Sign the Message

Use OpenSSL to create the signature.

openssl dgst -sha256 -sign private.pem -out signature.bin message.txt

This command does the following:

• dgst: The digest (hashing) tool.
• -sha256: Use the SHA256 hashing algorithm. This is a common and secure choice.
• -sign private.pem: Sign the message using your private key.
• -out signature.bin: Save the signature to a file named signature.bin.
• message.txt: The file containing the message you’re signing.

Step 3: Verify the Signature

To verify the signature, we need the original message, the public key, and the signature file.

a) Verification Command

openssl dgst -sha256 -verify public.pem -signature signature.bin message.txt

This command does the following:

• -verify public.pem: Verify the signature using your public key.
• -signature signature.bin: The file containing the digital signature.
• message.txt: The original message file.

b) Interpreting the Results

If the signature is valid, you’ll see:

Verified OK

If the signature is invalid (e.g., the message has been altered or a different private key was used), you’ll get an error message.

Important Considerations

• Keep your private key safe! Anyone with access to your private key can forge signatures in your name.
• Hashing Algorithm: SHA256 is generally considered secure, but newer algorithms like SHA3-256 are also available.
• Key Length: 2048 bits is a good starting point for RSA keys. You can use larger key sizes (e.g., 4096 bits) for increased security, but this will increase processing time.