I’ve been doing a lot of reading into blockchain recently, and one of the foundational components of this technology is utilizing asymmetric encryption to produce a “digital signature”. These signatures accompany a message sent across the wire, and can be used to verify the authenticity of the sender and the veracity of the message (i.e. ensuring it was not modified maliciously during transmission).
Below is a short demonstration of creating and verifying a digital signature using the
openssl CLI tool.
- Generate a private key, also called the
skor “secure key” for short. The key will be 2048 bits in length, as specified by the
$ openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
- Generate the corresponding public key, also called the
$ openssl rsa -pubout -in private_key.pem -out public_key.pem
- Create a secret message.
$ echo “Rock Chalk Jayhawk, go KU!” > secret_message.txt
- Produce the digital signature for the secret message. This command is two separate operations: first, it produces a hash of
secret_message.txt(commonly referred to as the message “digest”) using the SHA256 hash function. Then, it encrypts that digest using the
pk. The process of encrypting the digest is what actually produces the digital signature.
openssl dgst -sha256 -sign private_key.pem -out digital_signature secret_message.txt
- (Optional) the produced
digital_signaturecontains binary content by default. To get a human-readable version use the
$ openssl enc -base64 -in digital_signature -out digital_signature.base64
digital_signature.base64 will look like:
$ cat digital_signature.base64 $ tjisvQHiIte5wf5J+ZTNYaXk1a/90eQG8Haxu16qSlO/MhP6XjRE1P87XxvbtrOt YBkK3TwL/xsFMKNcPrR+3O0H0uO82Y0x+3RsgFKnXcm5P+BMaE0VhzRj8fKHojI6 yBF+Uk69upXE0MRjOk00LKnzwEymGsYfdFS7HVpJyLEWAMpDLKK9YtQna1I3Mf2X 0GJ63h/MqWG8ZVh/8d0jRyIV/mWW38AjRgueORmvI1K4bl3c2zjsLnJGWZ+2BE36 /AKAP4eK5g3tjiBHPhYhvP2tWwoV1rpJ7Yjs4fgtERf0bfZJTCN//AjOEsDyQA6T aTBkU05E9oj9XFhF8VtxoQ==
- (Imagination required) Send the
digital_signatureand a copy of our
public_key.pemoff to a friend. The friend receives the message, and would like to verify its contents and that it actually came from us. To verify, they attempt to decrypt the digital signature using our
$ openssl dgst -sha256 -verify public_key.pem -signature digital_signature secret_message.txt $ Verified OK
- Now imagine that our
secret_message.txtwas actually intercepted and tampered with by an attacker. You can simulate this by making any change to
secret_message.txt, e.g. change the message string to “Rock Chalk Jayhawk, go KSU!” Running verification on this modified message will now fail:
$ echo “Rock Chalk Jayhawk, go KSU!” > secret_message.txt $ openssl dgst -sha256 -verify public_key.pem -signature digital_signature secret_memo.txt $ Verification failure
That’s it! Digital signatures provide a convenient way to validate the origin and authenticity of a message.
Thanks for reading!