I separate the concept into 3 topics. First, we use the simplest but no efficient way to solve it. Second, we apply the digital signature way. Finally, we introduce secure boot that has the same concept.
Let's consider the use case. A client sends a request M1 to a server, and the server want to verify the M1 is sent by the the client. We can use asymmetric encryption/decryption to build a secure communication.
- The client generates key pairs, public key (PubC) and private key (PrvC).
- The client keeps PrvC and sends PubC to the server.
- Before the client sends the request M1, it encrypt M1 with PrvC to get Cipher.
- The client sends M1+Cipher to the server.
- The server decrypt Cipher with PubC to get M.
- The server compare M and M1. If both are same, the server make sure that M1 is owned by Client.
We use Digest instead of Cipher. Digest is calculated by SHA algorithm for M1. The size of digest SHA-1 is 20 bytes. The size of digest SHA-256 is 32 bytes. The digest is too small so that we can use RSA to encrypt/decrypt it.
We can apply digital signature in secure boot, BIOS verifies if an OS loader is released by a OS vendor before running the OS loader. Before the OS vendor releases a version OS, the vendor signs the OS loader with private key and provides the public key to a BIOS vendor. Please refer the pages for the details of secure boot. The concept of secure boot comes from digital signature.
How to Draw a Beautiful Flow Chart? (E.g., secure boot)