Beginner Cryptography Updated on Jun 25, 2025

Digital Signatures

A digital signature guarantees that a message or document was created by the claimed author — and that it has not been altered since. Unlike encryption, the goal is not secrecy, but authenticity and non-repudiation.

How It Works

SIGNING
1. Compute the document hash (SHA-256)
2. Encrypt the hash with the author's PRIVATE key
3. The result is the digital signature

VERIFYING
1. Compute the hash of the received document
2. Decrypt the signature with the author's PUBLIC key
3. Compare both hashes — equal = valid

The private key signs. The public key verifies. Only the private key owner can generate a valid signature.

In Practice with OpenSSL

# Generate RSA key pair
openssl genrsa -out private.pem 4096
openssl rsa -in private.pem -pubout -out public.pem

# Sign a file
openssl dgst -sha256 -sign private.pem -out signature.bin document.txt

# Verify signature
openssl dgst -sha256 -verify public.pem \
  -signature signature.bin document.txt
# Expected output: Verified OK

Algorithms

Algorithm	Mathematical basis	Typical size	Notes
RSA-PSS	Factoring	2048-4096 b	Current RSA standard
ECDSA	Elliptic curve	256-384 b	Compact, used in TLS
Ed25519	Curve25519	256 b	Modern, fast, secure

Non-Repudiation

If Alice signs a contract with her private key, she cannot later deny it — the signature is cryptographic proof of authorship. The private key is, by definition, exclusively hers.

This differs from HMAC: HMAC uses a shared key, so either party could have generated the MAC. A digital signature uses an asymmetric pair — only the private key owner can sign.

Signatures in Code (JWT Example)

JWTs (JSON Web Tokens) use digital signatures to ensure the payload has not been tampered with:

Header.Payload.Signature

Header:    {"alg": "RS256", "typ": "JWT"}
Payload:   {"sub": "user@example.com", "role": "admin"}
Signature: RSA-SHA256(Base64(Header) + "." + Base64(Payload), private_key)

The server verifies with the public key. If the payload is altered, the signature does not match.

Certificates and Digital Signatures

An X.509 certificate is essentially a file digitally signed by the CA. The CA signs the certificate data with its private key. The browser verifies it with the CA’s public key (present in the system trust store).