Confusion with python-rsa's sign function

Question

I'm trying to use the python-rsa module to encrypt messages passing between computers. However, rsa.sign() as described in the documentation ( https://stuvel.eu/python-rsa-doc/usage.html ) confuses me. Keep in mind I haven't done anything with cryptography yet.

In the documentation, signing a message is described like this:

(pubkey, privkey) = rsa.newkeys(512)
message = 'Go left at the blue tree'
signature = rsa.sign(message, privkey, 'SHA-1')

The confusing part is the verification:

message = 'Go left at the blue tree'
rsa.verify(message, signature, pubkey)

What is the message supposed to be? If the message is what I sent, then what is signature?

In the reference, the signature is described as the signature block, as created with rsa.sign() , but the message is described as the signed message. Can be an 8-bit string or a file-like object. the signed message. Can be an 8-bit string or a file-like object.

I feel like I'm missing something obvious.

Answer 1

That is because signing a message does not encrypt it. The purpose of signing is to prove the identity of the sender. RSA is a type of public key cryptography . When you want to send an encrypted message to Alice you have to ask her for her public key. You than use that public key to encrypt the message and send it to Alice. If she has the private key she can decrypt the message and read it and nobody else can. Signing a message is using the private key to generate a signature. Everyone who has your public key and the message can check with the signature that you are the owner of the private key.

If you are only doing this for learning it's fine, but never use sha-1 in a real life scenario. It's old and out-dated no longer considered secure.