Abstract
- The purpose of digital signature is to prove that something from one party is really from that party, that thing is unchanged from the moment it leaves that party to us receiving it
Prevent Man-in-the-middle Attack
See the ‘Digital Signature in X.509 Certificate’ below for more details.
Digital Signature in X.509 Certificate
Digital signature in X.509 Certificate gives Client the confidence that the X.509 Certificate is from the desired Server without any malicious modifications along the way (man-in-the-middle attack).
The signature is a piece of Ciphertext (密文) - generated by encrypting the Hash Digest of the X.509 Certificate with the Signer(Certificate Authority (CA))‘s Private Key. The Public Key of Certificate Authority is distributed to client to decrypt the ciphertext to obtain the hash digest. Then the client can hash the X.509 certificate and compare the two hash digests, if both match, then the received X.509 certificate is indeed from the desired server without suffering from any malicious man-in-the-middle attacks.
Doesn't work well on document that is too short
When it is too short, it is vulnerable to brute-force attack. We can first run Hash Function on the document, then add abit padding to the Hash Digest before signing.