Show TOC Start of Content Area

Process documentation Verifying a Digital Signature  Locate the document in its SAP Library structure

Purpose

There are several reasons that you may want to verify a digital signature. For example:

·        You have received a digitally signed document and you want to verify the identity of the sender.

·        You want to verify the integrity of a signed document (for example, when auditing archives).

Prerequisites

Before you can verify a digital signature, you need the following:

·        You need to have a signed document that you want to verify.

·        You must also know the hash algorithm that the signer used for his or her signature.

·        You need to have access to the signer's public key.

Process Flow

Generally, you indicate that you want to "verify" a digital signature, and the system does the rest.

Note

This may also include a part of a business workflow where the system requests the verification of a digital signature before proceeding.

The following diagram shows what happens when you verify a digital signature.

Verifying a Digital Signature

This graphic is explained in the accompanying text

The following explains what happens at each step:

...

       1.      The digitally signed document is divided into its components: the signed message digest and the document itself.

       2.      The public key is applied to the signed message digest.

The result is the message digest from the original document.

       3.      The same hash algorithm that was used in the signing process is then applied to the document to be verified.

The result is the message digest for the signed document.

       4.      The two message digests are compared.

 

Result

The result is either the acceptance or denial of the digital signature, based on the following conclusions:

·        If the message digests are identical, then:

¡        The signer is who you think it is (that is, the signer is the owner of the private key that corresponds to the public key that you used to verify the signature).

¡        The document has not been altered after being signed.

·        If the two message digests are not identical, then:

¡        Either the document has been altered, or

¡        The signer is not who you think it is (that is, the message was signed with a key other than the private key that corresponds to the public key that you used in the verification).

 

End of Content Area