Session 3 — Hashing, Digital Signatures & Certificates

Rohan is working on a project document and wants to send it to his professor. He emails it. The professor receives it — but how does the professor know that the document arrived exactly as Rohan sent it? How does she know no one changed it in transit? And how does she know it actually came from Rohan, not someone pretending to be him?

These three questions — integrity, authenticity, non-repudiation — are what this session answers. And the answer begins with something surprisingly simple: a hash.

What You Will Learn

  • What a hash function is and why it creates a unique fingerprint for any data
  • The four properties of a good hash function (SHA-256 in action)
  • How digital signatures work — the 3-step sign process and 3-step verify process
  • What a digital certificate is and what information it contains
  • What Certificate Authorities (CAs) are and why we trust them
  • How the chain of trust works: Root CA → Intermediate CA → Site certificate
  • How your browser verifies a certificate in milliseconds
  • What happens when certificate verification fails (the error pages you’ve seen)

The Big Idea

Hashing is the foundation of digital trust. Before a CA can sign a certificate, before your browser can verify an identity, before a bank can store your password safely — there is a hash function at the core. Understand hashing and the rest of this session becomes natural.

Character Focus This Session

Deepa starts by asking: “What’s a hash? Why do we need it?” — and her question drives the whole session.

Rohan goes deep on how digital signatures work mathematically and what “non-repudiation” means legally.

Sunita didi has encountered certificates in her IT work and understands exactly which fields matter when you are investigating a suspicious site.

Warm-Up Check

Before reading on:

  1. If you change one word in a 10-page document, how much of the document has changed? How would you prove to someone that the document they received is identical to the one you sent?
  2. You have probably seen a browser warning saying “Your connection is not private.” What did you do?
  3. Who decides which Certificate Authorities your phone trusts?

These questions are exactly what this session answers.