Encryption keeps a message secret — a snooper on the wire sees only ciphertext. But secrecy answers only one of the questions that matter online. Suppose an email arrives that says "This is your bank. Transfer £500 to account 12345678." Two new worries appear that encryption alone does nothing about:
A digital signature answers both at once. It is a small piece of data attached to a message that lets anyone check that it genuinely came from a particular sender and that not one bit has been altered since they signed it. It cleverly combines the two ideas you already know — asymmetric key pairs and hashing — to do something neither could do alone.
A digital signature is built from two tools from earlier pages, so it's worth a quick recap of exactly what each one gives us.
Hold those two facts in mind: a signature proves identity using the key pair, and proves the message is unchanged using the hash.
Here is the whole recipe for the sender (call her Alice):
Because Alice is the only person on Earth who holds her private key, she is the only person who could have produced that particular signature for that message. That is what ties the signature to her.
Now the receiver (Bob) checks it. He has Alice's public key.
Follow the whole flow, step by step:
Notice how a tampered message breaks the check: if an attacker alters even one character, Bob's digest B no longer matches digest A, and the signature fails. And because they can't produce a valid new signature (that would need Alice's private key), they can't fix it either.
A valid digital signature delivers three properties at once:
Note what it does not do: a signature does not keep the message secret. The message still travels in the clear alongside its signature. If Alice also wants secrecy, she encrypts the message for Bob as well as signing it — the two are independent jobs, often used together.
The code below is a toy to show the logic (real signatures use industrial
hashing and asymmetric maths, not this). sign hashes the message and "encrypts" the
digest with a private secret; verify "decrypts" with the matching public secret and
checks it against a fresh hash. Press Run and watch the genuine message pass and
the tampered one fail:
The genuine message verifies; the tampered one does not, because its hash no longer matches the
digest hidden inside the signature. That single false is integrity and authenticity
working.
This trips up almost everyone, so pin it down. A key pair is used in two opposite ways depending on the goal:
It flips because the two goals are mirror images. Secrecy asks "only one person should be able to read this" — so lock with the key everyone has and unlock with the key one person has. A signature asks "everyone should be able to check that one person made this" — so lock with the key one person has and unlock with the key everyone has. Same key pair, opposite roles. If you ever "sign with a public key" you've got it backwards.
There's a hole in the story. Verifying Alice's signature needs Alice's genuine public
key. But what if an attacker, Mallory, hands Bob her own public key while
claiming it's Alice's? Then Mallory can sign messages with her private key, Bob verifies
them against the fake "Alice" public key, and they look perfectly authentic. The maths is sound —
the problem is Bob was given the wrong key. Nothing so far tells him which public key really
belongs to Alice (or to www.yourbank.co.uk).
This is the key-distribution problem, and the fix is a digital certificate.
A digital certificate is a small document that binds a public key to an identity (a person, or a website's domain name). Crucially, the certificate is itself digitally signed — not by the owner, but by a trusted third party called a Certificate Authority (CA) (real examples: DigiCert, Let's Encrypt, GlobalSign).
A certificate typically contains:
www.bbc.co.uk);Now the trust becomes a chain. Your browser ships with a built-in list of a few trusted CAs and their public keys. When a site presents its certificate, the browser uses the CA's public key to verify the CA's signature on it (exactly the sign/verify process from above!). If it checks out, the browser trusts that the public key inside really does belong to that domain — because a CA it already trusts has vouched for the mapping.
This is the machinery behind the HTTPS padlock. When you visit an
https:// site, the server sends its certificate; your browser verifies the CA's
signature and checks the domain and expiry. Only if everything holds does it show the padlock and
set up the encrypted connection. So the padlock isn't just "encrypted" — it also means "a trusted
CA vouches that this is really who it claims to be."
A certificate doesn't create trust out of nothing — it delegates it to the CA. That has two consequences worth remembering:
She can copy it — but a signature is bound to one exact message. Reuse it on any different message and the receiver's fresh hash won't match the digest inside the signature, so verification fails. To make a valid signature for a new message she'd need to encrypt that message's hash with Alice's private key — which she doesn't have. This is exactly why the hash step matters: it welds the signature to the precise bytes of the message.
Not at all — and the difference is the whole point. A scanned or drawn "signature" is just an image; anyone can copy-paste it onto any document, and it says nothing about whether the text was changed. A digital signature is computed from the message's contents with a private key, so it detects tampering and can't be transplanted onto another document. It's cryptography, not a picture.