← Concepts
General Security ConceptsSY0-701 · Task 1.4

Digital signatures — SY0-701

Digital signatures verify origin authenticity, integrity, and non-repudiation via asymmetric cryptography — properties a shared-secret MAC cannot provide.

WHAT IT IS

A digital signature is the result of a cryptographic transformation of data that, when properly implemented, provides a mechanism to verify origin authenticity and data integrity and to enforce signatory non-repudiation. (FIPS 186-5, via NIST CSRC Glossary)

The transformation uses asymmetric cryptography: the signer uses a private key to compute the signature, and any recipient uses the corresponding public key to verify it.

Mental model

Think of a wax seal on an envelope — but one that is mathematically impossible to forge and that also proves the letter was not altered after sealing.

  • Only the owner of the private key can create the seal (origin authentication).
  • Anyone with the public key can check whether the seal is intact (integrity verification).
  • Because only one entity holds the private key, that entity cannot later deny having sealed the letter (non-repudiation).

When to use it

The exam frequently tests digital signatures against message authentication codes (MACs). Both protect integrity, but they differ critically on who can verify and whether repudiation is possible.

PropertyDigital SignatureMessage Authentication Code (MAC)
Key type usedAsymmetric (private key signs, public key verifies)Symmetric (same shared key on both sides)
Who can verifyAnyone with the public keyOnly parties that share the secret key
Data integrityYesYes
Origin authenticationYesYes
Non-repudiationYesNo — either party could have produced the MAC

Source for MAC properties: NIST SP 800-63-4, which explicitly states that MACs "provide authenticity and integrity protection but not non-repudiation protection."

Sign / Verify sequence

COMMON MISCONCEPTION

"The private key encrypts the message for confidentiality."

This conflates two distinct operations. In a digital signature scheme, the private key is used to compute a signature over a hash of the message — not to encrypt the message contents for secrecy. NIST SP 800-57 Part 1 Rev. 5 defines the private key's signing role separately from its use in decryption. A signed message is not automatically confidential; anyone can read it. Confidentiality requires a separate encryption step.

A related trap: candidates sometimes assume that because the public key verifies the signature, the public key "decrypts" in the same sense it would in an encryption scenario. The operation is verification against a hash output, not message decryption.

How it shows up on the exam

The cognitive target is distinguishing the three security properties a digital signature provides — origin authentication, data integrity, and non-repudiation — and recognizing which of those properties a MAC or a symmetric mechanism cannot deliver.

Signal phrases to watch for:

  • "…proves the sender cannot deny…" — points toward non-repudiation, a property digital signatures provide and MACs do not
  • "…verify the source and confirm the message was not altered…" — both properties together; digital signature is the mechanism
  • "…shared secret key…" combined with "…cannot deny…" — a shared key means either party could have produced the token, so non-repudiation is not available

Candidates often confuse signing (private key produces signature) with encrypting for confidentiality (recipient's public key produces ciphertext). Keeping the key roles distinct — private key signs, public key verifies — resolves most scenario questions in this area.

Related concepts

  • Public Key Infrastructure — the trust framework that binds public keys to identities, making signature verification meaningful
  • Asymmetric Encryption — the underlying key-pair mechanism; digital signatures are one application of it
  • Symmetric Encryption — contrast with the shared-key model; understanding the difference clarifies why MACs cannot provide non-repudiation

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.