Even though it may seem obvious that a digital signature and digital certificate are two different things, yet this question is commonly asked specially by those who are new to information security. In this post, I am going to provide a brief answer, however I will include a link to a more detailed article for those who are interested to learn more.
So what is the difference between the two ? Imagine this scenario…
- You received a confidential message from someone
- How can you make sure the message was not intercepted and tampered with?
- How can you make sure the one who sent you the message is the real person and not someone else impersonating him?
Both a digital signature and a digital certificate are used to achieve that. Let us see how...
- The sender converts the message into a hash. What is a hash ?
- A hash is a one way mathematical function that converts the message into some text or code. Ok away from jargon, think of a hash as a concise and unique representation of the message
- The sender encrypts the hash using his private key and attach it to the message then sends both the message and the hash. What is a private key ? You may need to check the link at the end of this post
- The receiver (you) converts the received message into a hash (just like what the sender did)
- The receiver (you) decrypts the attached hash using the public key of the sender. how can we get the public key of the sender? we use a digital certificate of the sender. What is a digital certificate then ?
- A digital certificate is a document that associates public keys to a given person or name (ex. company)
- But any one can create a certificate and pretends he is the sender. The solution to this problem is to have the certificate signed by a trusted third party called certificate authority
- The receiver compares the two hashes (the received one and the computed one). If they match, it means the message was not tampered with otherwise an altered message would yield a different hash
- The fact that the receiver was able to decrypt the received hash using the senders public key also proves that the message was indeed sent by the receiver not someone else. The fact that the certificate is trusted by a certificate authority also proves that no one else tried to replicate that certificate
Here is a summary of differences in a tabular form:
|Digital signature||Digital certificate
|A digital signature is a hash of a message or document. It is a representation of the message||A digital certificate is a document that has the senders public key and personal information. Public key is needed to decrypt the hash of the message
|It is encrypted and attached to the message so that we can make sure the message was not tampered with and comes from the one we think he sent the message not someone else impersonating him||A digital certificate needs to be trusted by a third party (i.e. certificate authority)
This was a quick summary. For more information about how all this works together you may check the following article