First, one needs to know the relationship between the keys in asymmetric cryptography (the public and the private) in order to understand how digital signatures work.
The public key is available to everyone. The private key is known only by the owner and can’t be derived from the public one. When something is encrypted with the public key, only the corresponding private key can decrypt it. Moreover, when something is encrypted with the private key, then anyone can verify it with the corresponding public key. Now, let’s return to the story of Mark and Kevin to better understand how it works.
Mark’s private key is used to encrypt the hash of the document. That encrypted hash is called a digital signature. Mark sends Kevin the document with the appended digital signature of the document. Kevin uses Mark’s public key to decrypt the digital signature. Then, Kevin calculates the hash of the document and compares it to the decrypted digital signature of the document, which is the hash of the document. When those hashes match, Kevin knows who the sender of the message really is, and exactly which message was sent. The property of non-repudiation is achieved by using a digital signature.
There’s one question remaining. How does Kevin know that the public key is really the one from Mark? There might be a man-in-the-middle introducing themselves as Mark. A digital certificate is used to solve that problem. Kevin gets the digital certificate from Mark, which includes Mark’s public key and his name. The certificate is digitally signed by the trusted Certificate Authority (CA) – the hash of the certificate is encrypted with the private key of the trusted CA. Kevin has the list of trusted CAs (with their public keys) in his operating system. It allows Kevin to verify that the public key actually belongs to Mark.
