Thanks for the info first.
Actually, I have the question after reading "Php and Web development
4th edition" (Addison-Wesley) p354:
Digital signatures are related to public key cryptography but reverse
the role of public and private keys.A sender can encrypt and digitally
sign a message with her secret key. When the message is received, the
recipient can decrypt it with the sender’s public key. Because the
sender is the only person with access to the secret key, the recipient
can be fairly certain from whom the message came and that it has not
Digital signatures can be really useful.The recipient can be sure that
the message has not been tampered with, and the signatures make it
difficult for the sender to repudiate, or deny sending, the message.
It is important to note that although the message has been encrypted,
it can be read by anybody who has the public key.Although the same
techniques and keys are used, the purpose of encryption here is to
prevent tampering and repudiation, not to prevent reading.
Because public key encryption is fairly slow for large messages,
another type of algo- rithm, called a hash function, is usually used
to improve efficiency.The hash function calculates a message digest or
hash value for any message it is given. It is not important what value
the algorithm produces. It is important that the output is
deterministic—that is, that the output is the same each time a
particular input is used, that the output is small, and that the
algorithm is fast.
The most common hash functions are MD5 and SHA.
A hash function generates a message digest that matches a particular
message. If you have a message and a message digest, you can verify
that the message has not been tam- pered with, as long as you are sure
that the digest has not been tampered with.To this
** the usual way of creating a digital signature is to create a
message digest for the whole message using a fast hash function and
then encrypt only the brief digest using a slow public key encryption
algorithm.The signature can now be sent with the message via any
normal unsecure method.**
When a signed message is received, it can be checked.The signature is
decrypted using the sender’s public key.A hash value is then generated
for the message using the same method that the sender used. If the
decrypted hash value matches the hash value you generated, the message
is from the sender and has not been altered.
I don't understand how to work with the "**... **" parts in Rails
Then the book goes on next section: "Digital Certificates" which
should be the SSL. Therefore, as the books separate the idea. So I
don't know whether I should implement both.
Indeed, as I remembered, mostly, the session keys sensitive items
should be using https, e.g. login, signup.
Please correct me if I am wrong.
Thanks a bunch.