|
|
ONLINE FEATURES
Book Reviews
BW Video
Columnists
Interactive Gallery
Newsletters
Past Covers
Philanthropy
Podcasts
Special Reports
BLOGS
Auto Beat
Bangalore Tigers
Blogspotting
Brand New Day
Byte of the Apple
Economics Unbound
Eye on Asia
Fine On Media
Green Biz
Hot Property
Investing Insights
Management IQ
NEXT: Innovation
NussbaumOnDesign
Tech Beat
Working Parents
TECHNOLOGY
J.D. Power Ratings
Product Reviews
Tech Stats
Wildstrom: Tech Maven
AUTOS
Home Page
Auto Reviews
Classic Cars
Car Care & Safety
Hybrids
INNOVATION
& DESIGN Home Page Architecture Brand Equity Auto Design Game Room SMALLBIZ Smart Answers Success Stories Today's Tip INVESTING Investing: Europe Annual Reports BW 50 S&P Picks & Pans Stock Screeners Free S&P Stock Report SCOREBOARDS Hot Growth 100 Mutual Funds Info Tech 100 S&P 500 B-SCHOOLS Undergrad Programs MBA Blogs MBA Profiles MBA Rankings Who's Hiring Grads | |
AUGUST 10, 2004
By Stephen H. Wildstrom How a Digital Signature Works Microsoft's new Service Pack makes life tough for programs lacking the proper electronic credentials. Here's why A technology called public key cryptography makes it possible for you to make sure that the publisher of any piece of software that claims to be from Microsoft (MSFT ) or any other publisher really came from there. It has the added benefit of insuring that the contents weren't maliciously altered or damaged in transmission. Here's how it works: The publisher first has to obtain a digital certificate from a recognized "certificate authority" or CA (VeriSign (VRSN ) is the largest and best known CA in the U.S.). The publisher receives a private and a public key, each of which is a long number of about 300 digits. These are used to create a digital signature for each program (see BW Online, 8/10/04, "Windows of Vulnerability No More?"). When the software is ready to be posted for download, the publisher runs it through a mathematical process called a one-way hash which reduces it to a long number called the message digest. The message digest is then encrypted using the publisher's private key, and the result, which looks like a string of gibberish when displayed, is appended to the program when it's downloaded. HASH SLINGING. The trick of public key encryption -- the best known approach is called RSA for the initials of its inventors -- is that one key can be used to scramble the data while a different, mathematically related, key is used to unscramble it. When you download a digitally signed program, the first thing your computer does is check the Web site's digital certificate. It then queries the CA that issues the certificate to make sure it's still valid and to obtain the public key. When the download is complete, your computer uses the public key to decrypt the message digest. It also runs the same one-way hash procedure on the downloaded software. If everything is as it should be, the decrypted message digest and the one just created should be identical. If they differ by a single bit, something is wrong and the downloaded software will be rejected. For the curious, here's the message digest of the five paragraphs above (as plain text), created using the MD5 algorithm from RSA Data Security Inc: c21196eb8e026d47a67883d746c72c8d.  Wildstrom is Technology & You columnist for BusinessWeek. Follow his Flash Product Reviews, only at BusinessWeek Online
BW MALL
SPONSORED LINKS
Buy a link now!Get BusinessWeek directly on your desktop with our RSS feeds.  Add BusinessWeek news to your Web site with our headline feed. Click to buy an e-print or reprint of a BusinessWeek or BusinessWeek Online story or video. To subscribe online to BusinessWeek magazine, please click here. Learn more, go to the BusinessWeekOnline home page  | | |
 Copyright 2004, by The McGraw-Hill Companies Inc. All rights reserved.Terms of Use | Privacy Notice |
Printer-Friendly Version
