Introduction
Welcome to the lab on Digital Signatures with RSA. A digital signature is a cryptographic mechanism used to verify the authenticity and integrity of digital messages or documents. It provides assurance that the message was created by a known sender (authenticity) and that it was not altered in transit (integrity).
In this lab, you will get hands-on experience with the entire lifecycle of a digital signature. We will use the openssl command-line tool, a robust and versatile utility for cryptographic tasks. You will learn how to generate a signature using a private key and how to verify it using the corresponding public key. By the end, you will have a practical understanding of how digital signatures secure our digital communications.
Digital Signature Concept
In this step, we will begin by understanding the core concept of a digital signature. A digital signature is created by the sender using their private key. This key is kept secret and is known only to the sender. The signature can then be verified by anyone who has the sender's corresponding public key.
This process provides two critical security guarantees:
- Authenticity: Since only the sender has the private key, a valid signature proves that the message originated from them.
- Integrity: The signature is mathematically tied to the content of the message. If the message is altered in any way, the signature will no longer be valid.
To facilitate this lab, the setup process has already generated an RSA key pair for you: private.pem (your secret key) and public.pem (your shareable key). It also created a file named message.txt. Let's list the files in our project directory to see them.
Execute the following command in your terminal:
ls -l
You should see the files that have been prepared for you:
-rw-rw-r-- 1 labex labex 55 Oct 20 09:20 document.txt
-rw-rw-r-- 1 labex labex 26 Oct 20 09:20 message.txt
-rw------- 1 labex labex 1704 Oct 20 09:20 private.pem
-rw-rw-r-- 1 labex labex 451 Oct 20 09:20 public.pem
Now that we have our keys and a message, we are ready to create our first digital signature.
Sign Message with Private Key
In this step, you will create a digital signature for the message.txt file. The process involves two main actions: first, creating a cryptographic hash (a unique fixed-size string of bytes) of the message, and second, encrypting that hash with your private key. The result is the digital signature.
We will use the openssl dgst command to perform this operation. Let's run the command to sign message.txt.
openssl dgst -sha256 -sign private.pem -out signature.bin message.txt
Let's break down this command:
openssl dgst: This invokes the OpenSSL digest command.-sha256: This specifies the SHA-256 algorithm to create the message hash.-sign private.pem: This tells OpenSSL to sign the hash using the specified private key,private.pem.-out signature.bin: This specifies the output file where the resulting binary signature will be stored.message.txt: This is the input file that we are signing.
After running the command, a new file named signature.bin will be created. This file contains the digital signature. You can verify its creation by listing the files again.
ls -l
You will now see signature.bin in the file list:
-rw-rw-r-- 1 labex labex 55 Oct 20 09:20 document.txt
-rw-rw-r-- 1 labex labex 26 Oct 20 09:20 message.txt
-rw------- 1 labex labex 1704 Oct 20 09:20 private.pem
-rw-rw-r-- 1 labex labex 451 Oct 20 09:20 public.pem
-rw-rw-r-- 1 labex labex 256 Oct 20 09:26 signature.bin
Verify Signature with Public Key
In this step, we will play the role of a recipient who wants to verify the signature. To do this, the recipient needs three things: the original message (message.txt), the digital signature (signature.bin), and the sender's public key (public.pem).
The verification process reverses the signing process. OpenSSL will use the public key to decrypt the signature, revealing the original hash. It will then independently compute a new hash of the message it received. If the two hashes match, the signature is valid.
Let's use openssl dgst again, but this time with the -verify option.
openssl dgst -sha256 -verify public.pem -signature signature.bin message.txt
Here's the breakdown of the verification command:
-verify public.pem: This tells OpenSSL to verify a signature using the specified public key,public.pem.-signature signature.bin: This specifies the signature file to be verified.message.txt: This is the original message file that the signature is supposed to correspond to.
If the signature is valid, OpenSSL will output the following message:
Verified OK
This confirmation means two things: the message was definitely signed by the owner of the private.pem key, and the content of message.txt has not been changed since it was signed.
Sign File with Private Key
In this step, we will reinforce the signing process by applying it to a different file. This will help solidify your understanding of how a signed hash is created and used. We have another file in our directory named document.txt. We will now create a digital signature for this document.
The procedure is identical to what we did in Step 2. We will generate a SHA-256 hash of document.txt and then sign that hash with our private.pem key.
Let's create the signature and save it to a file named document.sig.
openssl dgst -sha256 -sign private.pem -out document.sig document.txt
This command creates a new signature file, document.sig, which is specific to the current content of document.txt. Any change to the document would require a new signature to be generated.
Let's list the files to confirm that document.sig has been created.
ls
You should see the new signature file in the output:
document.sig document.txt message.txt private.pem public.pem signature.bin
Now we have a signed document, which we will use in the next step to demonstrate the integrity-checking power of digital signatures.
Test Signature Tampering
In this final step, we will demonstrate the most critical feature of a digital signature: integrity protection. We will intentionally tamper with the document.txt file after it has been signed and then attempt to verify it with the original signature. This will show how digital signatures prevent unauthorized modifications.
First, let's add some text to the document.txt file. This simulates an attacker altering the document.
echo "This is an unauthorized change." >> document.txt
The content of document.txt has now changed. The original signature, document.sig, was created based on the file's previous content.
Now, let's try to verify the modified document.txt file using the original signature document.sig and the public key.
openssl dgst -sha256 -verify public.pem -signature document.sig document.txt
This time, the verification will not succeed. Instead, you will see an error message similar to:
Verification failure
805BA484597F0000:error:02000068:rsa routines:ossl_rsa_verify:bad signature:../crypto/rsa/rsa_sign.c:430:
805BA484597F0000:error:1C880004:Provider routines:rsa_verify:RSA lib:../providers/implementations/signature/rsa_sig.c:774:
This failure is the expected outcome. It happens because the hash of the modified document.txt no longer matches the hash that was encrypted inside document.sig. This instantly proves that the file has been tampered with since it was signed. This mechanism is fundamental to trusting digital documents and communications.
Summary
In this lab, you have successfully learned the practical application of digital signatures using RSA and OpenSSL.
You have walked through the entire process:
- Understood the core concepts of authenticity and integrity provided by digital signatures.
- Used a private key (
private.pem) to sign a message and create a signature file. - Used the corresponding public key (
public.pem) to verify the signature and confirm the message's authenticity. - Witnessed a
Verification failureafter intentionally tampering with a signed file, demonstrating how digital signatures protect data integrity.
This hands-on experience provides a solid foundation for understanding how trust is established in the digital world, a crucial concept in cybersecurity and modern computing.
