A digital identity

As the internet draws inroads deeper into our personal lives, we find ourselves increasingly concerned about our online personality.

Today, a simple Google search can yield all your tweets on Twitter, all your blog posts, your forum interactions, your video posts, the list goes on. All the bread crumbs Hansel and Gretel need to reach the deepest recesses of your identity.

One rarely worries about the implications of what we leave behind, and often forget who all can see it. The ease and seeming anonymity of the internet are just too lucrative. What many people do online is the equivalent of carving every bench, every tree, every wall we encounter in our lives with our thoughts at world outside computers, it is your signature that defines the authenticity of the written word. Flawed as it might be it is a system that provides a measure of security to our transactions.

Digitised validity

How would you share a secret? Perhaps by whispering it to a friend, or discreetly slipping a note of the same. However, in most situations neither is an option. We may need to get secretive or sensitive information across, however the party delivering the message cannot be trusted with it. When we look at computers transmitting information over the internet, what we have is a communication being sent over a possibly unsecured channel that could be monitored or even tampered by adversaries. Depending on the content of the message, and its target audience, we relate to different security schemes. In some cases verifiability of a message's authenticity is all that is required, while in other cases the authenticity of the source is more important.

Here lies the difference between the concepts of digital signatures, message authenticity verification and encryption.

Digital signatures

A digital signature may be taken pretty much in the same terms as a physical signature, it identifies the authorship of a document, thus authenticating the source. It gives security to the author, as he is only liable to accept more security than an ink signature as it is practically unforgable.

Authenticity verification

Authenticity verification is more to do with ensuring that the contents of the document are safe from modification, and any modification made by unscrupulous entities can easily be detected. This is similar to laminating a paper document with a plastic sheet, this prevents modifications, and any forced modifications made are liable to be easily detected.

Here, the source of the document is not important, what is imporcant is the validity of the document. Although such is the case with the example of lamination, it is not necessary everyone should be able to detect unauthorised modifications. We can take the example of a document written in special ink which cannot be differentiated from normal ink by most people. In such a case, only people with the ability to differentiate the special ink will be able to detect whether there has been any unauthorised modifications.

Again as in the case of digital signatures, authentication tags need to be easy to produce and verified for the parties involved, but impossible for an outsider to produce.

Encryption

Encryption is the most effective way to keep things away from prying eyes Unlike authentication tags and digital signatures, encryption garbles the content of the
message / document / data in such a way that only the intended panics can decode it.

Encryption gives security to the content by making it impossible for anyone to access it unless they specifically know how. If digital signatures are similar to putting a name tag on your lunch, and authentication tags are like wrapping it in plastic, then encrypting is analogous to locking it in a l0-tonne stainless steel safe.

Encryption relies on algorithms for which the coding is far simpler than the decoding. The encoding operates on two things, the data, and the key. The algorithm is designed such that without the key it is nearly impossible (or unfeasible) to get the data back from the cypher. However unless combined with a digital signature mechanism, you have no way of knowing if the encrypted data is from right source.

Encryption schemes also present another conundrum. How do you transfer the,encryption "secret"7Whether it is an algorithm or a key, transferring it through an insecure medium is as good as not encrypting at all.

Private-Key encryption

The private key encryption method is one that most people are aware of two parties agree on a secret key which will be used to encrypting any further communication. This initial communication where the key is exchanged can be done in person or via a secure channel. Much like whispering or passing a note.

The obvious disadvantage here is the need for a secure way of communication, and if that is available, the whole need for encryption becomes a little moot.

In simple cases, we may share a password over telephone with our friend for files we are about to share. When it is your job to be paranoid about your companies security however, that doesn't cut it, and a security enabled channel will be used. If having a secure communication channel is expensive, we can use the channel merely to exchange the key. After which the internet can be host to further communications have been encrypted with the private key.

Public-Key encryption

Unlike the public key system, which is symmetric, i.e. the encrypting key and decrypting key are the same; public-key encryption uses different keys for encrypting and decrypting data. This may seem counter-intuitive, but is incredibly useful. In a Public-Key encryption, the encryption key is openly published for anyone to see, while the decryption key is kept secret. What this essentially means is that while everyone is capable of encrypting messages that you can decrypt, however they are unable to decrypt any messages encrypted by the public-key even the ones they encrypted themselves.

In this case, a secure line of communication can be obtained by having the participants exchange public keys, and use them for any secure communication. A secure channel is not required for sending the keys in this case, since the key is only capable of encrypting and not decrypting, furthermore, it is impractical to determine the decrypting key given the encrypting key. Even if your adversaries were to gain access to you public key, it would only enable them to encrypt data with your key, they would still be helpless to decrypt any data that they intercept.

In this kind of system, the sending party encrypts confidential data with the public-key of the party which is to receive said data. The recipient of the data is then able to decrypt the message since they have a decryption key (their private-key).

When we use digital signatures practically, a software generates a signature for our given message. The signature is such that if any part of the message / document is changes, the signature would no longer match and we would know immediately that someone has tampered with the message.

Digital signatures aren't limited to email messages or documents, they are not used in almost every field where the source of the data is important. Microsoft uses digitally signed certificates for drivers it has tested, and warns the user if an unsigned driver is being installed. Digitally signed files, if modified by a virus, will invalidate the signature, which can serve a warning to the user.

A signature is only as good as the one who signed it. A million dollar cheque will do you little good if the signature is of a pauper. Likewise, a digital signature by its nature needs to be easy to produce and as such by itself shouldn't inspire any confidence. A digitally signed virus which deletes all your files, will only do its Job if it's signature is intact.

For simple cases of authenticating your emails and files for personal purposes, digital signatures are almost free to use. There are many tools capable of generating signature for your messages and documents. Software that work with documents have some support for digital signatures. Microsoft Office products, for example, allow you to generate and attach a digital signature to your documents.