How can digital signatures assure the sender their message has been correctly received?



  • I am going through a short course on security. One of the videos is talking about non-repudiation in regards to cryptography and sending messages between Alice and Bob. This video talks about how digital signatures can be used to verify the sender of a message, which I understand (Bob decrypts the message with his private key, and then has access to the certificate which contains Alice's identity and a hash that can be verified with Alice's public key). It also talks about how Alice can be assured that Bob has received the message and that, in general, the message has been received by the correct party.

    It does not explain how this is possible though. I have seen some mention online that one method might be that Bob then sends a digital signature back to verify he has received the message. Is this indeed a method of doing this? Are there other methods to do this? If this method is right, how can Alice be sure that Bob isn't just randomly sending digital signature out, and has in fact seen the correct message?


  • QA Engineer

    PKI ensure that if the message reaches its destination it has not been altered (if signed with sender private key) and/or has not be compromissed (if crypted with recipient public key).

    If the sender wants to make sure that the recipient has actually received the message, a higher level protocol must be used. For example the recipient could send a signature of the original (optionaly decrypted) message using their private key. So if the round trip:

    A -> message signed with A private key -> B
    A <- signature of the original message with B private key <- B
    

    completes, then A can be sure that B has received the correct message.

    If you do not set up that round trip, even with modern system where the sender can be sure that the message reaches the recipient system, you have no protection against the message being destroyed between its arrival on a machine and the moment when the human being named B could read it.

    This would be more or less an implementation of what was the QSL in the early days of radio frequency message (mainly using Morse code). BTW that QSL was still in use in the 80's to ensure that a message had been received and understood (*): until the sender had not received a QSL to message number xxx they periodically try to send it again or try a phone call to know whether the recipient system was off or out of use (at least at French Met Office).


    (*) as QSL to message ... had to be manually sent, it meant that somebody could read the message number and declared having understanded the full message.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2