Digital Signature Simulator

Sign and verify messages using public key cryptography

Step 1: Generate Key Pair

Create a public/private key pair for signing and verification

🔐 Private Key (Keep Secret!)

Used to sign messages. Never share this!

Click "Generate New Key Pair" to create keys

🔓 Public Key (Share Freely)

Used to verify signatures. Can be shared with anyone.

Click "Generate New Key Pair" to create keys

Step 2: Sign a Message

Enter a message and sign it with your private key

Digital Signature:

Step 3: Verify Signature

Verify that the signature is valid using the public key

Tamper Detection Demo

See what happens when you modify a signed message

Certificate Chain Visualization

Understand how trust flows from root CA to end-entity certificates

🏛️ Root CA Certificate

Subject: GlobalTrust Root CA

Issuer: Self-signed

Status: Pre-trusted (in browser/OS)

This certificate is self-signed and trusted because it's pre-installed

🔒
↓ signs ↓

🏢 Intermediate CA Certificate

Subject: GlobalTrust Intermediate CA

Issuer: GlobalTrust Root CA

Status: Trusted (signed by Root CA)

This certificate's signature can be verified using the Root CA's public key

🔐
↓ signs ↓

🌐 Website Certificate

Subject: www.example.com

Issuer: GlobalTrust Intermediate CA

Status: Valid (verified through chain)

This certificate proves the website's identity and provides its public key

🌐

How Verification Works:

  1. Browser receives website certificate
  2. Checks if website cert is signed by intermediate CA (using intermediate's public key)
  3. Checks if intermediate cert is signed by root CA (using root's public key)
  4. Root CA is pre-trusted (installed in browser/OS)
  5. If entire chain is valid → connection is trusted

Real-World Examples

🌐 HTTPS (Website Security)

Use case: Secure web browsing

How it works:

  • Website has certificate with public key
  • Certificate signed by trusted CA
  • Browser verifies certificate chain
  • Encrypted connection established

What it proves: Website identity and encryption capability

📧 Email Signing (S/MIME)

Use case: Verify email sender and detect tampering

How it works:

  • Sender signs email with private key
  • Recipient verifies with sender's public key (from certificate)
  • Any modification breaks signature

What it proves: Sender authenticity and message integrity

💿 Code Signing (Software)

Use case: Verify software hasn't been tampered with

How it works:

  • Developer signs software with private key
  • OS verifies signature before installation
  • Warning shown if signature invalid

What it proves: Software authenticity and developer identity

Bitcoin Transactions

Use case: Authorize cryptocurrency transfers

How it works:

  • Private key controls Bitcoin wallet
  • Sign transaction to send coins
  • Network verifies signature with public key

What it proves: Ownership and authorization to spend

Help

What is a Digital Signature?

A digital signature is a mathematical scheme that proves:

  • Authentication: Who sent the message
  • Integrity: Message hasn't been modified
  • Non-repudiation: Sender can't deny sending it

How it works:

  1. Hash the message (creates fixed-size digest)
  2. Encrypt hash with private key (creates signature)
  3. Attach signature to message
  4. Recipient decrypts signature with public key
  5. Recipient hashes message and compares
  6. If hashes match, signature is valid
How Do Public/Private Keys Work?

Key pair: Two mathematically related keys generated together

Properties:

  • What one key encrypts, only the other can decrypt
  • Cannot derive private key from public key
  • Must be kept as matched pair

For signatures:

  • Private key: Signs messages (keep secret!)
  • Public key: Verifies signatures (share freely)

For encryption:

  • Public key: Encrypts messages (share freely)
  • Private key: Decrypts messages (keep secret!)
What is a Certificate?

A digital certificate binds a public key to an identity (person, website, organization).

Certificate contains:

  • Subject: Who owns the certificate
  • Public Key: The actual public key
  • Issuer: CA that signed the certificate
  • Validity Period: Start and end dates
  • Signature: CA's signature on all this data

Purpose: Without certificates, how do you know a public key actually belongs to who you think it does? Certificates solve this by having a trusted CA vouch for the binding.

What is a Certificate Authority (CA)?

A Certificate Authority is a trusted entity that issues digital certificates.

What CAs do:

  • Verify identity before issuing certificates
  • Sign certificates with their private key
  • Maintain revocation lists
  • Provide OCSP services

Trust model:

  • Root CAs are pre-installed in OS/browsers
  • Intermediate CAs signed by roots
  • End-entity certificates signed by intermediates
  • Chain of trust flows from root down

Major CAs: DigiCert, Let's Encrypt, GlobalSign, Sectigo

What is the Certificate Chain?

The certificate chain (or chain of trust) connects an end-entity certificate to a trusted root CA.

Chain structure:

  1. Root CA: Self-signed, pre-trusted
  2. Intermediate CA(s): Signed by root or another intermediate
  3. End-entity certificate: Signed by intermediate, identifies website/person

Why intermediates?

  • Keep root CA offline (more secure)
  • Can revoke intermediate without affecting root
  • Flexibility in certificate issuance
Why Hash Before Signing?

Messages are hashed before signing for three reasons:

  1. Efficiency: Hash is fixed size (256 bits), message can be gigabytes. Signing 256 bits is much faster than signing gigabytes.
  2. Security: Hash provides integrity checking. Any change to message changes hash.
  3. Algorithm limitations: RSA can only sign data smaller than key size. Hash ensures data fits.

Example:

  • 1 GB file → 256-bit SHA-256 hash
  • Sign 256 bits instead of 1 GB
  • Verification: re-hash file and check signature
What Happens if Message is Tampered?

Digital signatures are tamper-evident:

  1. Original message is hashed and signed
  2. Attacker modifies message
  3. Verifier re-hashes modified message
  4. New hash doesn't match signature
  5. Verification fails!

Even tiny changes break signature:

  • Changing one character
  • Adding a space
  • Modifying punctuation

Important: This proves message was tampered with, but signature itself remains valid for the original message.