-1

I'm studying for the Security+ exam with the help of Total Seminars' Udemy course and in one video they claim that a digital signature is generated by encrypting a message with the sender's private key and then hashing the result. The digital signature is then verified by encrypting the webpage with the sender's public key, hashing the result and then "comparing" with the other hash.

Not only is this explanation rather vague on the final steps of verification but I think it's straight up wrong. Doing some independent research I find this page that says "Digital signatures do this by generating a unique hash of the message or document and encrypting it using the sender’s private key."

This claims that the process happens the opposite way and it makes way more sense. However in the comment section of this particular video is a course moderator arguing with many commenters saying that the presenter hasn't gotten it wrong and that it "just works".

Can someone please settle this debate?

Retsek
  • 101
  • 2

1 Answers1

2

There are two things wrong with the statement, '...a digital signature is generated by encrypting a message with the sender's private key and then hashing the result'.

  1. A digital signature is not created by encrypting anything with a private key. This is a common misunderstanding. See the answer by @dave_thompson_085 at Can OpenSSL decrypt the encrypted signature in an Amazon Alexa request to a web service? for more information as to why this is incorrect.

  2. The hash of the message is taken before the operation involving the private key, not after. See https://crypto.stackexchange.com/questions/12768/why-hash-the-message-before-signing-it-with-rsa for the reason that it's done this way.

mti2935
  • 21,098
  • 2
  • 47
  • 66