Share via


Creating Digital Signatures

A version of this page is also available for

Windows Embedded CE 6.0 R3

4/8/2010

The following table shows the functions applications can use to compute secure digests of data and to create and verify digital signatures.

Function Description

CryptCreateHash

Creates an empty hash object.

CryptDestroyHash

Destroys a hash object.

CryptGetHashParam

Retrieves a hash object parameter.

CryptHashData

Hashes a block of data, adding it to the specified hash object.

CryptHashSessionKey

Hashes a session key, adding it to the specified hash object.

CryptSetHashParam

Sets a hash object parameter.

CryptSignHash

Signs the specified hash object.

CryptVerifySignature

Verifies a digital signature, given a handle to the hash object that was signed.

To create a digital signature from a message, create a hash value, also known as a message digest, from the message. Then, use the signer's private key to sign the hash value. The following illustration shows the process for creating a digital signature.

Aa923693.e36eda2f-6f46-4d15-be08-3b5cd82e3935(en-us,MSDN.10).gif

To verify a digital signature, both the message and the signature are required. First, a hash value must be created from the message in the same way as it was done when the signature was created. This hash value is then verified against the signature, using the public key of the signer. If the hash value and the signature match, you can be confident that the message is the one originally signed and that it has not been tampered with. The following illustration shows the process of verifying a digital signature.

Aa923693.f4858023-1f2c-43c1-969f-925283705582(en-us,MSDN.10).gif

A hash value consists of a small amount of binary data, typically 160 bits. It is produced using a hashing algorithm.

All hash values share the following properties, regardless of the algorithm used:

  • A hash value is of a fixed length, regardless of the size of the message.
  • Every pair of nonidentical messages translates into a different hash value, even if the two messages differ only by a single bit. Using today's technology, it is not feasible to discover a pair of messages that translate to the same hash value without breaking the hashing algorithm.
  • All hashing algorithms are fully deterministic. That is, each time a particular message is hashed using the same algorithm, the same hash value is produced.
  • All hashing algorithms are one-way. Given a hash value, it is not possible to recover the original message. In fact, none of the properties of the original message can be determined with the hash value alone.

See Also

Concepts

Microsoft Cryptographic System

Other Resources

Cryptography
Certificates