At present, there are many technologies to ensure information security, such as encryption technology, access control technology, authentication technology, security audit technology and so on, but most of these technologies are used for prevention. Once the information is destroyed, we cannot guarantee the integrity of the information. Therefore, a new security technology to ensure information integrity & digital signature technology has become a topic of great concern. So, what is digital signature technology? What special function does it have?
concept
Before the emergence of digital signature technology, there was a kind of "digital signature" technology, which was simply to sign on the handwriting board and then transmit the image to the electronic document. This kind of "digital signature" can be cut and pasted on any document, which is very easy to be copied illegally, so this kind of signature method is unsafe. Digital signature technology and digital signature technology are two completely different security technologies. Digital signature has nothing to do with user's name and handwritten signature form. It actually uses the sender's private key to convert the transmitted information. The digital signature of the sender is different for different document information. Without the private key, no one can complete illegal copying. In this sense, "digital signature" is an alphanumeric string obtained by processing the message to be transmitted through one-way function to identify the source of the message and verify whether the message has been changed.
principle
In the concrete work of this technology, firstly, the sender performs mathematical transformation on the information, and the obtained information only corresponds to the original information; The original information is obtained by inverse transformation at the receiving end. As long as the mathematical transformation method is excellent, the transformed information has strong security in transmission and is difficult to decipher and tamper with. This process is called encryption, and the corresponding inverse transformation process is called decryption.
There are two different encryption technologies. One is symmetric encryption. Both parties have a secret key, which can only be used if both parties know it. Usually used in an isolated environment. For example, when using an automatic teller machine (ATM), the user needs to input a user identification number (PIN). After the bank confirms this number, the two parties conduct the transaction on the basis of obtaining the password. If the number of users is too large and beyond the manageable range,
The other is asymmetric encryption, also known as public key encryption. A key is a key pair consisting of a public key and a private key. It is encrypted with a private key and can be decrypted with a public key. However, because the public key cannot be derived, it will not endanger the security of the private key, and it does not need to be kept secret, but it can be spread publicly. The private key must be kept secret, and it needs to be reported to the authentication center and database when it is lost.
algorithm
There are many algorithms for digital signature, and the three most widely used ones are: Hash signature, DSS signature and RSA signature.
1. hash signature
Hash signature is not a computationally intensive algorithm, so it is widely used. It can reduce the consumption of server resources and reduce the load of the central server. The main limitation of Hash is that the receiver must hold a copy of the user's key to verify the signature, because both parties know the key that generated the signature, which is easy to crack and may forge the signature.
2.DSS and RSA signatures
DSS and RSA adopt public key algorithm, and there is no restriction of Hash. RSA is the most popular encryption standard, and there are RSA software and class libraries in the core of many products. Before the rapid development of Web, RSA Data Security Company was responsible for the integration of digital signature software and Macintosh operating system, and added signature drag-and-drop function to Apple's collaboration software PowerTalk. Users only need to drag the data to the corresponding icon to complete the electronic digital signature. Unlike DSS, RSA can be used for data encryption and authentication. Compared with hash signature, in public key system, the security factor is higher because the key that generates the signature is only stored in the user's computer.
function
Digital signature can solve the problems of denial, forgery, tampering and counterfeiting. Specific requirements: the sender can't deny the message signature sent afterwards, the receiver can verify the message signature sent by the sender, the receiver can't forge the sender's message signature, the receiver can't partially tamper with the sender's message, and one user in the network can't impersonate another user as the sender or receiver. Digital signature is widely used, which is a breakthrough to ensure the security of electronic data exchange. Digital signature can be used in all occasions that need to identify users, such as encrypted letters, business letters, order purchasing systems, remote financial transactions, automatic mode processing, etc.
regret
The introduction of digital signature will inevitably bring some new problems, which need to be further solved. Digital signature needs the support of relevant legal provisions.
1. It is necessary for the legislature to pay enough attention to digital signature technology, speed up the pace of legislation and formulate relevant laws as soon as possible, so as to fully realize the special authentication function of digital signature and effectively promote the development of online affairs such as e-commerce.
2. If the sender's information has been digitally signed, then the receiver must have digital signature software, which requires high popularity of the software.
3. Suppose someone leaves an organization after sending information, and the authority of the original digital signature is cancelled. In the past, the original confirmation information could only be found in the cancellation confirmation form, so the appraisal center needs to combine the time information for appraisal.
4. It is the cost of infrastructure (identification center, online database access, etc.). ) paid by public funds or charged to users during the service period? If you charge during the service period, will it affect the comprehensive promotion of this technology?
implement
There are many ways to realize digital signature. At present, asymmetric encryption technology and symmetric encryption technology are widely used. Although the implementation steps of these two technologies are different, the general workflow is the same. Users can download or buy digital signature software first, and then install it on personal computers. After the key pair is generated, the software automatically transmits the public key to the outside world. Due to the storage requirements of public keys, it is necessary to establish a certification center (CA) to determine personal information and its key. Appraisal center is a third-party member that the government participates in management to ensure the security and centralized management of information. When the user obtains the public key, he first requests digital confirmation from the authentication center. After the authentication center confirms the user's identity, it sends digital confirmation, and at the same time, the authentication center sends confirmation information to the database. Then the user uses the private key to sign the transmitted information, which ensures the integrity and authenticity of the information, and also makes it impossible for the sender to deny the sending of the information before sending it to the receiver; After receiving the information, the receiver uses the public key to confirm the digital signature, and enters the database to check the status and credibility of the user's confirmation information; Finally, the database returns the user confirmation status information to the receiver. However, when using this technology, the signer must pay attention to protecting the private key, because it is an important foundation of public key system security. If the key is lost, you should immediately report the cancellation to the certification center and put it in the confirmation cancellation list. Secondly, the authentication center must be able to quickly confirm the identity of users and the relationship between their keys. Once the user's request is received, the authentication center shall immediately authenticate the security of the information and return the information.
What is a digital signature?
I. The meaning of digital signature
Digital signature is based on public key encryption system, and the operation method involved in generating digital signature is called hash function. Also known as "hash function". Hash function is actually a mathematical calculation process. This calculation process is based on a calculation method that creates a digital expression or a compressed form of information in the form of "hash function value" or "hash function result" (usually called "information summary" or "information identification"). In the case of secure hash function (sometimes called one-way hash function), it is actually impossible to deduce the original information from the known hash function results. Therefore, hash function can make software operate on less and predictable data to generate digital signatures, while maintaining a high degree of correlation with the original information content, and effectively ensuring that the information has not been modified after digital signature.
The so-called digital signature is a digital string that can only be generated by the sender of the information and cannot be forged by others. It is also a proof of the authenticity of the information sent by the sender. When signing a document or any other information, the signer must first accurately define the scope of the content to be signed. Then, the hash function in the signer's software will calculate the unique hash function result value of the signature information (for practical purposes). Finally, the hash function result value will be converted into a digital signature by using the signer's private password. The obtained digital signature is unique to the signature information and the private password used to create the digital signature.
A digital signature (the digital signature of the result of the hash function of the information) is attached to the information and stored and transmitted together with the information. However, it can also be stored and transmitted as a single data unit, as long as it can keep reliable contact with the corresponding information. Because a digital signature is unique to the information it signs, it becomes meaningless if it loses contact with the information permanently.
Signing a written document is a means to confirm the document, and digital signature has many characteristics compared with traditional handwritten signature.
First of all, the signature and information in digital signature are separated, and a method is needed to link the signature and information. In traditional handwritten signature, signature and signature information are a whole.
Secondly, in the method of signature verification, the digital signature uses an open method to verify the signature, and anyone can check it. Traditional handwritten signature verification is judged by experienced recipients by comparing with reserved signature samples.
Finally, in digital signature, the copy of a valid signature is also a valid signature, while in traditional handwritten signature, the copy of the signature is invalid.
Digital signature can have two functions at the same time: confirming the source of data and ensuring that the data has not been modified or changed during transmission. Therefore, in some aspects, the function of data signature is more similar to the function of overall detection value. However, one of the main differences between them is that the digital signature must guarantee the following characteristics, that is, the sender cannot deny the signature of the message afterwards. This is very important. Therefore, the receiver of information can convince the third party of the identity of the signer and the fact of sending information through digital signature. When there is a dispute between the two parties about whether the information is sent or not and its content, the digital signature can be a powerful evidence. Generally speaking, the tampering of information has a great influence on the receiver. Therefore, it is better for the receiver to use a different digital signature from the sender to show this difference. This is a function that the overall detection value does not have. In this sense, the digital signature is confirmed.
The combination of digital signature and encryption technology can solve the problems of integrity, identity authentication and non-repudiation in information transmission.
(1) integrity. Because it provides a technique and method to confirm the integrity of an electronic document, the document can be regarded as original and unchanged.
(2) Verifiability. The source of the electronic document can be confirmed. Because the electronic signature generated by the sender's private key can only be decrypted by the public key corresponding to the sender's private key, the source of the document can be confirmed.
(3) Non-repudiation. Because only the author owns the private key, he can't deny that the electronic file was not sent by him.
digital signature
The so-called "digital signature" is to generate a series of symbols and codes through some cryptographic operation to form an electronic password for signature, rather than writing a signature or seal. For this kind of electronic signature, technical verification can also be carried out, and its verification accuracy is incomparable to that of general manual signature and seal verification. "Digital signature" is a kind of electronic signature method with the most common application, the most mature technology and the strongest operability in e-commerce and e-government. It uses standardized procedures and scientific methods to identify signers and approve electronic data content. It can also verify whether the original text of the file has changed during transmission, and ensure the integrity, authenticity and non-repudiation of the transmitted electronic file.
In the ISO7498-2 standard, digital signature is defined as "some data attached to a data unit, or the cryptographic transformation of the data unit, which allows the receiver of the data unit to confirm the source and integrity of the data unit and protect the data from being forged by people (such as the receiver)". The definition of digital signature in American Electronic Signature Standard (DSS, FIPS 186-2) is: "A set of rules and a parameter are used to calculate data, and the identity of the signer and the integrity of the data can be confirmed by this result". According to the above definition, PKI(Public Key Infrastructino) provides the cryptographic conversion of data units, and enables the receiver to judge the source of data and verify the data.
The core executing agency of PKI is the electronic certification service provider, commonly known as CA(Certificate Authority), and the core element of PKI signature is the digital certificate issued by CA. The PKI services it provides are authentication, data integrity, data confidentiality and non-repudiation. The method is to encrypt/decrypt by using the certificate public key and its corresponding private key to generate the signature and verification signature of the digital message. Digital signature is the use of public key cryptography and other cryptographic algorithms to generate a series of symbols and codes, forming an electronic password for signature, rather than writing signatures and seals; This kind of electronic signature is also technically verifiable, and its verification accuracy is incomparable with manual signature and stamp verification in the physical world. This signature method can be used for authentication in a large number of trusted PKI domains or cross authentication in multiple trusted PKI domains, especially for security authentication and transmission on the Internet and WAN.
Simply put, the so-called digital signature is some data attached to the data unit, or the cryptographic transformation of the data unit. This kind of data or transformation allows the receiver of the data unit to confirm the source and integrity of the data unit, and protects the data from being forged by people (such as the receiver). This is a method of signing an electronic message, and the signed message can be transmitted in a communication network. Digital signature can be obtained based on both public key cryptosystem and private key cryptosystem. At present, digital signature is mainly based on public key cryptosystem. Include general digital signature and special digital signature. Common digital signature algorithms include RSA, ElGamal, Fiat-Shamir, Guillou-Quisqour, Schnorr, Ong-Schnorr-Shamir, Des/DSA, elliptic curve digital signature algorithm and finite automaton digital signature algorithm. Special digital signatures include blind signature, proxy signature, group signature, undeniable signature, fair blind signature, threshold signature, signature with message recovery function and so on. It is closely related to the specific application environment. Obviously, the application of digital signature involves legal issues, and the federal government of the United States has formulated its own digital signature standard (DSS) based on the discrete logarithm problem over a finite field.
Digital signature technology is a typical application of asymmetric encryption algorithm. The application process of digital signature is that the sender of the data source encrypts the data checksum or other variables related to the data content with his own private key to complete the legal "signature" of the data, and the receiver of the data interprets the received "digital signature" with the public key of the other party, and uses the interpretation result to check the integrity of the data to confirm the legality of the signature. Digital signature technology is an important technology to confirm identity in the virtual environment of network system, which can completely replace the "autograph" in the real process and get technical and legal protection. In the management of public and private keys, the application of digital signature is just the opposite of PGP technology for encrypting emails. In the application of digital signature, the sender's public key is easy to obtain, but his private key needs to be kept strictly confidential.
The main functions of digital signature are: to ensure the integrity of information transmission, to authenticate the identity of the sender, and to prevent denial in transactions.
Digital signature technology encrypts abstract information with the sender's private key and sends it to the receiver together with the original text. The receiver can decrypt the encrypted digest information with only the transmitted public key, and then use a hash function to generate digest information for the received original text and compare it with the decrypted digest information. If they are the same, it means that the received information is complete and has not been modified during transmission, otherwise it means that the information has been modified, so the digital signature can verify the integrity of the information.
Digital signature is an encryption process and digital signature verification is a decryption process.
Personal secure e-mail certificate with digital signature function is a kind of user certificate, which refers to the certificate that unit users must have when using certificate mechanism to ensure the safety of sending and receiving e-mail. Personal secure e-mail certificate is a digital security certificate conforming to x.509 standard. By combining digital certificate and S/MIME technology, ordinary e-mail is encrypted and digitally signed to ensure the security, confidentiality, sender identity confirmation and non-repudiation of e-mail content. Personal secure e-mail certificate with digital signature function includes the e-mail address of the certificate holder, the public key of the certificate holder, the issuer (Henan CA) and the signer's signature on the certificate. The realization of the function of personal secure e-mail certificate depends on whether the e-mail system used by users supports the corresponding functions. At present, MS Outlook, Outlook Express, Foxmail and Henan CA secure mail systems all support corresponding functions. Personal security e-mail certificate can be used to send and receive encrypted and digitally signed e-mail, which ensures the confidentiality, integrity and non-repudiation in e-mail transmission and the authenticity of the identities of all parties in e-mail communication.