Verifying A Signed Message

The steps to verifying the signature of signed data are reviewed here. The following illustration depicts the individual tasks that must be accomplished, as shown in the list that follows it.

    To verify the signature of a signed message

1. Get a pointer to the signed message.
2. Open a certificate store.
3. Using the signer ID contained in the message, get the sender's certificate and get a handle to it's public key.
4. Alternate to # 2 and #3: Use the certificate contained in the message to retrieve the signer's public key.
5. Using the signer's public key, decrypt the digital signature, producing the original digest of the data in the message.
6. Using the hash algorithm contained in the message, hash the data contained in the message, yielding a new digest.
7. Compare the digest retrieved from the message with the new digest just created.
8. If the two digests match, the signature is verified. This means that the private key that was used to sign the data matches the public key just used to decrypt the signature, and that the data has not changed since the data was signed.

   If the two digests do not match, the signature is not verified, and either the private/public keys do not match, or the data has been changed since the data was signed, or both.