What Are Digital Signatures & How Do They Work
DataProt is supported by its audience. When you buy through links on our site, we may earn a commission. This, however, does not influence the evaluations in our reviews. Learn More.
Digital forms of signatures are in most things we send or receive, well, digitally. You’re probably using such a signature in your documents and emails without even realizing. Let’s lift the curtains and reveal precisely what digital signatures are and how they’re helping you in your everyday work.
This technology is the unsung hero of modern computer science and deserves a bigger spotlight than it gets.
Algorithm Power Behind Digital Signatures
A digital signature uses a mathematical authentication algorithm that allows the message sender to include a code in it to serve as a signature and prevent forgery or tampering. This code is then used to confirm the legitimacy and integrity of whatever object it’s attached to, whether it’s a digital document, email, or credit card transaction.
Digital signatures use software that securely connects a signer with a recorded transaction, according to stringent legal regulations that secure the signer’s identity.
A digital signature is commonly used to identify users and secure the data stored in digital documents and messages. In the email example we mentioned earlier, the email’s entire content is a part of the digital signature.
There are usually three algorithms in a digital signature: The first one is a key-generating algorithm that creates a private key at random from a list of possible digital keys, and then its matching public key.
A signing algorithm creates personal digital signatures’ by combining a message and a private key. The third algorithm is a signature verifying one that accepts or dismisses a message’s authenticity claim based on the message, signature, and public key, similarly to what ID theft protection services do.
A digital signature on documents and correspondence offers their recipient evidence that the message was created and sent by an established sender. If the signature is valid, the message was not altered on the way, and its integrity is guaranteed.
What’s more, the signature protects against repudiation, meaning that the sender cannot deny they sent that message later on.
Asymmetric Cryptography
Digital signatures’ encryption is based on asymmetric cryptography. This is a system with a private key known only to the sender, and a matching public key known to others and used to verify the sender’s identity.
One person encrypts a message or document using their private key and a hashing algorithm to create a unique signature. To decrypt it, the receiver needs to have the sender’s public key, so they can decrypt the message.
Here’s an example of how digital signatures are used: Alex is sending Diane an encrypted message. As a sender, Alex creates two digital keys: One public and one private. She keeps the private key and sends the public key to Diane.
Upon finishing the message, Alex uses a hash algorithm to create a “digest” of the message, which is then encrypted using her private key to create Alex’s digital signature. She then sends the digitally signed message to Diane. Keep in mind that the message is not encrypted – only the digital signature is.
Diane can then decrypt Alex’s digital signature with the appropriate public key to get a message digest. Messages which employ digital email signatures should always be hashed into the same digest.
This means that the digest from Alex’s decrypted signature must match what Diane gets if she hashes the message herself. And if Diane can’t decrypt the digital signature using Alex’s public key, she knows the message didn’t come from Alex.
Lastly, Diane compares the hashing result with the digest she got by decrypting Alex’s signature. If they are identical, it means that the message was not tampered with since it’s been sent. If not, Diane will know that the message was modified in transit.
Digital Versus Other Signatures
You’ll hear a lot about electronic signatures (e-signatures) in the IT world. Digital signatures are, by definition, not a separate entity from e-signatures, though they are often mislabeled as such. They are actually a subcategory of electronic signatures.
What’s more, they aren’t even the only kind of electronic signature used to enable document signing and signer authentication. The difference between this type of e-signature and others is the technical implementation, intention, geographical use, and cultural and legal acknowledgment.
Legal acceptance is crucial, as the use of a digital signature will vary based on the laws around them. The United States, Canada, and the UK have neutral, technology-neutral e-signature laws.
On the other hand, the EU, Asia, and South America have laws that only accept digital signatures on documents, and not other kinds of e-signatures. On top of that, specific industries have their own standards for using this technology, too.
There are unique differences between a digital and ink signature as well. One can copy an ink signature image digitally or manually, but a digital signature ties an electronic ID to a document via cryptography to prevent the signature from one online document also signing another document because someone just copied it and put it somewhere else.
Digital Signatures Are Legally Binding, You Say?
Indeed, digital signatures are legally binding in specific EU countries: Switzerland, the US, Canada, Brazil, Turkey, Indonesia, Chile, Mexico, Saudi Arabia, and South Africa. The first legislation about digital signature use was passed in Utah, with California and Massachusetts following close behind. The UN has had a model law on electronic signatures for quite some time, too.
In 1999, the European Union enacted the Directive for Electronic Signatures, and the USA accepted the Electronic Signatures in Global and National Commerce Act in 2000. These acts have made electronically signed documents and contracts as legally binding as paper contracts.
Many countries have made digital signatures legal through regulations created either after the USA or the EU model. Several countries have chosen the EU model with digital-signature-based regulation for electronic signatures. Industry practices are also evolving every day.
On the other hand, a couple of cryptographic conditions need to be met for a digital signature to be accepted in a legal sense. For one, it needs to use quality algorithms that have not been proven vulnerable to attacks. The algorithm should be deployed correctly, and users need to have software that will follow the signature protocol correctly.
When verifying digital signatures, the private key must stay private; a user-compromised private key may create a near-identical digital signature replica and is therefore not evidence that only one person could have provided the signature in question.
Lastly, the public key owner should be verifiable, which can be done through a public key infrastructure (PKI).
Key Operators and Web of Trust
A Public Key Infrastructure (PKI) is formed by the individuals, systems, standards, and policies supporting the distribution of public keys and identity validation of persons or entities with digital signatures through a certificate authority.
As we’ve explained previously, every signature has a public and private key. A signer uses the private key to sign electronically when sending messages or approving documents. Private keys are not shared.
The public key is available to users who need to confirm the signer’s electronic signature. The PKI also mandates the use of end-user enrollment software, a digital certificate, and apps to renew, revoke, and manage keys.
Pretty Good Privacy (PGP/OpenPGP) is an alternative to Public Key Infrastructure. Instead of using established PKI digital signatures, users rely on the trustworthiness of other users by signing certificates of people with verifiable identities.
The more signatures are interconnected in the so-called Web of Trust, the more likely the verification of someone’s identity is. PGP also provides another way to protect your traffic on the internet, on top of using cybersecurity products such as VPNs. For example, you can use a PGP-powered mail service.
A digital signature within the Public Key Infrastructure or Pretty Good Privacy is certifiably secure. After all, the protection of digital signatures almost wholly relies on the private key’s security. Without PKI or PGP, revoking a compromised key or confirming a user’s identity would be insurmountable, and bad actors would have unchecked freedom to imitate someone.
The Other Elements of a Digital Signature
A Certificate Authority (CA) is a third-party organization accepted as trustworthy for providing the needed digital certificates to ensure key security. A user sending, receiving, and signing documents using a digital signature must comply with a specific certificate authority. Just as there are SSL certificate authorities, there are those in charge of electronic signatures.
You need to know how a digital certificate works because it’s an electronic document comparable to a driver’s license issued by the certificate authority. A digital certificate includes a public key and the identity of the key owner. The certificate confirms to whom the key belongs.
A hash function is a mathematical function that creates a fixed-size string of letters and numbers – a hash – from a data file. The string is unique, and a generated hash cannot be reverse-engineered into a file with an identical hash value.
That’s why hashing and digital signatures go hand in hand. The most used hashing algorithms are Message Digest 5 (MD5), Secure Hash Algorithm-1 (SHA-1), and Secure Hash Algorithm-2 class (SHA-2, SHA-256).
As we’ve already mentioned, these signatures are based on public key cryptography, or asymmetric cryptography, earlier. What is essential to know is that generating the message’s digital signature with the sender’s private key secures the signed object’s integrity.
Another way public key cryptography works is by protecting confidentiality, which is why digital signatures in PDF documents and email messages are so prominent.
The History of the Digital Signature
An American cryptographer, Whitfield Diffie, and Martin Hellman, a cryptologist, outlined the digital signature scheme in 1976. Just a year later, a group of computer scientists and cryptographers, Ronald Rivest, Len Adleman, and Adi Shamir, created the RSA algorithm. The RSA cryptosystem managed to generate simple digital signatures, but they were not secure.
In 1989, a client-server software company called Lotus Notes published the first software package that included a digital signature (standards not included) with an RSA algorithm. After the RSA algorithm, several alternate digital signature models were developed, such as Lamport signatures, Merkle, and Rabin signatures.
Silvio Micali, Shafi Goldwasser, and Ronald Rivest first outlined strict security requirements for a digital signature in 1988. Their scheme was the first that showed how to stop forgery from a message attack. The security definition they devised is accepted in the digital signature industry to this date.
The Future Signed
With an ever-increasing number of companies and individuals relying on digital documents, messages, and reports, the digital signature industry will continue to grow.
The primary purpose of a digital signature is to authenticate its sender, confirm its integrity, and secure it against origin repudiation by the sender. You only stand to benefit from applying a digital signature to your documents and notes.
There is plenty of paid and free software that offers digital signature services. With the constant rise of cyberattacks, data loss, and hijacks, this technology is your faithful ally in keeping your digital documents intact.