ProtonMail employs several methods to protect your privacy and your security. One method of protecting data from being read by outsiders is our encryption. However, encryption alone does not guarantee the authenticity of the data. For that, ProtonMail uses a technology called digital signatures.
Digital signatures are similar in some ways to physical signatures except that each signature only applies to a specific piece of data, such as a message body or contact. Successful verification of the digital signature on a message body ensures that the author really did send the message and that the message has not been tampered with or otherwise changed. In the case of your contacts, they are signed with your encryption keys and verification of a contact’s digital signature ensures that no one but you has modified the contact.
The signing process
Signing data consists of several steps. First, a unique hash is generated from the data. A hash is a value generated by a hash function that is used to map data of an arbitrary size to a fixed size. Some of the vital properties of such a hash function are that each input data will have a different hash and that it is impossible to recover the original data from this hash (the functions are ‘one-way’). We will see in the verification process why this hash function is critical to the security of the signing process.
The next step is to sign this hash. One computes the signature of this hash using a signature algorithm (e.g. RSA or DSA) and the signer’s private key.
Different signing algorithms can be used at this step, so there is no definitive explanation how this step works. But to illustrate, we will consider the RSA algorithm.
In RSA, signing a message is equal to encrypting the hash of the message with your private key (meanwhile, the data itself is encrypted with your public key). Due to the specific properties of RSA, this allows anyone to decrypt the signature if they have the public key corresponding to the private key. However, this is not necessarily the case for every signature algorithm.
The verification process
To verify a signature, the verifier needs three things: the signature itself, the content that the signature signs (this can be the decrypted data or the encrypted data, depending on the signature method) and the public key belonging to the author of the content. For OpenPGP, the encryption scheme used by ProtonMail, the signatures hashes are taken over the decrypted content and thus the signature can only be verified if decryption succeeds.
The next step is to generate a hash of the data, using the hash function chosen by the signature type. The verification algorithm will then verify the signature in a method dependent on the algorithm.
For example, RSA will perform the same process as when decrypting data, but instead of using the recipient’s private key, the sender’s public key will be used. After this step, the algorithm only has to check if the hash of the received data is equal to verify the digital signature.