You cannot prevent the data from being altered by
someone on the network, so the receiving element
(destination) must be able to detect whether data has
been modified and, if so, not pass the corrupted data to
the application. A one-way hash is used for this purpose.
The message hash is a fingerprint of the data. If the data
changes, the fingerprint (that is, the message digest or
hash) changes as well. Someone who alters the data
would have no idea what the corresponding digest will be
for the modified data. The content of the hashed data
cannot be determined from the hash. This is why it is
called a one-way hash.
Digital Signatures
You can use a private key for encryption and your public
key for decryption. Rather than encrypting the data
itself, you can create a one-way hash of the data and then
use the private key to encrypt the hash. The encrypted
hash, along with other information, such as the hashing
algorithm, is known as a digital signature. Figure 14-4
illustrates the use of a digital signature to validate the
integrity of signed data. The data and the digital
signature are sent across the network. On the receiving
end, two hashes are calculated: one from the received
data and the other by decrypting the digital signature
using the public key. If the two hashes match, you know
that the private and public keys match, and the identity
of the sender is verified.
Figure 14-4 Digitally Signed Data