What's the difference between RSA and ECDSA signatures?

Both are asymmetric signing algorithms. ECDSA uses elliptic curve math producing shorter signatures (64 bytes vs. 256 bytes for RSA-2048) with equivalent security. ECDSA signing is faster; RSA verification is faster.

How do I verify a signature without the private key?

Signature verification uses only the public key — that is the point of asymmetric cryptography. You need: the original message, the signature, and the signer's public key or certificate.

Signature Verifier | DevTools Surf

DevTools Surf

About Signature Verifier

Signature Verifier preview - Security / Crypto tool

Verify RSA/EC cryptographic signatures with public key validation. Part of the DevTools Surf developer suite. Browse more tools in the Security / Crypto collection.

Use Cases

Verify that a software release artifact matches the developer's published signature.
Validate webhook signatures (e.g., Stripe HMAC-SHA256) to confirm requests originate from the expected sender.
Check code signing certificates on executables before running them in a sandbox.
Verify JWT signatures to confirm a token was issued by a trusted authority.

Tips

Always verify the signature against the correct message — a common implementation bug is hashing the message before signing but verifying against the unhashed message (or vice versa).
Check the algorithm in the signature metadata matches what you expect — algorithm confusion attacks work by replacing a strong algorithm (RS256) with a weaker one (HS256) that the verifier accepts.
Verify the certificate chain, not just the signature — a valid signature from an untrusted key is not a valid signature.

Fun Facts

The RSA digital signature algorithm was published by Rivest, Shamir, and Adleman in 1978 — the same paper that introduced RSA encryption. Digital signatures were conceived as a practical implementation of public-key cryptography.
ECDSA (Elliptic Curve Digital Signature Algorithm) produces signatures 6x shorter than RSA-2048 at equivalent security, which is why it replaced RSA for TLS certificates in most modern deployments.
The PlayStation 3's ECDSA implementation was broken in 2010 because Sony used a static random number in the signing algorithm instead of a cryptographically random nonce — allowing private key extraction from just two signatures.

FAQ

What's the difference between RSA and ECDSA signatures?: Both are asymmetric signing algorithms. ECDSA uses elliptic curve math producing shorter signatures (64 bytes vs. 256 bytes for RSA-2048) with equivalent security. ECDSA signing is faster; RSA verification is faster.
How do I verify a signature without the private key?: Signature verification uses only the public key — that is the point of asymmetric cryptography. You need: the original message, the signature, and the signer's public key or certificate.

Related Security / Crypto Tools

Hash Generator v2 HMAC Generator v2 JWT Encoder Bcrypt Hash Tester HMAC Generator Password Strength Analyzer TOTP / 2FA Generator SAML Response Decoder