Alice wants to send a contract with a digital signature that enforces nonrepudiation to Bob. Which of the following best describes the process of generating the digital signature? (Wentz QOTD)
A. Generate a message authentication code of the contract using SHA
B. Generate the contract digest encrypted by Bob’s public key
C. Encrypt the hash value of the contract using Alice’s private key
D. Produce a ciphertext of the contract digest using a secret key agreed by Diffie-Hellman
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Encrypt the hash value of the contract using Alice’s private key.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
Encrypting the fingerprint of the code using your private key or hashing the code and encrypt the result using your private key are the rewording of generating a digital signature.
- Generating a message authentication code of the contract using SHA ensures authenticity of data origin.
- The contract digest encrypted by Bob’s public key is not a digital signautre of Alice.
- Producing a ciphertext of the contract digest using a secret key agreed by Diffie-Hellman is a distractor. Diffie-Hellman is used for key agreement/exchange instead of encryption.
A digital signature ensures non-repudiation, data integrity, and authenticity. Technically, a digital signature is nothing more than the hash of an object signed by a subject’s private key.
FIPS 186-4 approves three techniques: DSA, RSA DSA, and ECDSA, as the following screenshot shows:
- Non-repudiation has both technical and legal significance. Technical non-repudiation can be realized through digital signature, while legal non-repudiation is legally binding.
- Digital signature with the legal binding is one form of Electronic Signature. However, not all digital signatures are legally binding.
Alice 希望向 Bob 發送具有不可否認性的數位簽章之合同。 以下哪一項最能描述生成數位簽章的過程？ (Wentz QOTD)
B. 生成由 Bob 的公鑰加密的合約摘要(digest)
C. 使用 Alice 的私鑰加密合約的哈希值
D. 使用 Diffie-Hellman 協議出的密鑰來生成合約摘要的密文