3 min read
What is a Digital Signature? What it Does and How the process Works
Cryptomathic : 17. October 2017
In today's fast-paced business world, there is always a need to speed up various processes that are essential for optimising efficiency while still protecting the privacy of the company and its clients/customers. The use of digital signatures has grown in response to the need for faster and more secure authentication that is not easily forged or compromised.
Consider how important and time-sensitive documents have previously been signed. The user must first obtain the documents to be signed by receiving a paper document in the mail or printing the document from a designated online source. The document would have to be physically signed before being returned to its creator. This required the user to complete the process offline, which would entail additional physical processes that could be considered time-consuming and costly in returning the signed document, as well as the additional steps required to verify the signature. However, thanks to digital signatures and the WYSIWYS experience, users can now securely access, view, and sign documents online, eliminating the need for the majority of offline steps.
A more secure way to authenticate a signature
Digital signing is now widely accepted as a method of producing legally binding signatures in many countries, including members of the European Union (EU), Saudi Arabia, and the United States. When a digitally signed message is received, the receiver has good reason to believe that it came from the intended sender, even if it was relayed over an insecure channel.
In many cases, a digital signature is a legally accepted alternative to a handwritten signature or official seal certifying the authenticity of the signature. This makes its use beneficial for many governments, businesses and agencies for use with signing documents or messages related to e-commerce, regulatory filings, banking and contracts, in addition to numerous other applications where a verifiable signature is required.
The process of digital signing
There are typically three algorithms involved with the digital signature process:
- Key generation – This algorithm provides a private key along with its corresponding public key.
- Signing – This algorithm produces a signature upon receiving a private key and the message that is being signed.
- Verification – This algorithm checks for the authenticity of the message by verifying it along with the signature and public key.
The digital signing process requires that the signature generated by both the fixed message and the private key be authenticated by the accompanied public key. The user's signature cannot be replicated using these cryptographic algorithms without access to their private key.
The digital signature process uses asymmetric cryptography methods to prevent several common attacks in which the attacker attempts to gain access using the following attack methods:
- Key-only – Attacker has access to the public key
- Known message – Attacker has access to valid signatures for known messages, but not those that they have chosen
- Adaptive chosen message – Attacker gains access to signatures on various messages that they have chosen
Reasons to consider implementing the digital signature process
Aside from facilitating business processes and preventing the forgery of critical messages and documents, the use of digital signing provides additional validation benefits. In the case where an assurance is needed that a message or an accompanied document has not been altered during transmission, a digital signature will prevent unknown alterations from going unnoticed. If the digitally signed content is altered, the signature will be invalidated, thus alerting the sender and receiver of a breach. This is because the applied cryptographic functions will prevent a new and valid signature from being produced for that message.
When non-repudiation is enabled, the sender of the message cannot deny digitally signing the message at a later date. The receiver or other who gain unauthorized access to the message are also prevented from creating a fake signature. Most non-repudiation methods provide a time-stamp that cannot be altered and provide evidence of the digital signature in the event that the private key has been compromised or revoked.
References and further reading
- Selected articles on Digital Signatures (2014-today), by Ashiq JA, Guillaume Forget, Peter Landrock, Torben Pedersen, Dawn M. Turner and more
- COMMISSION DECISION setting out measures facilitating the use of procedures by electronic means through the ‘points of single contact’ under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market (2009) by the European Commission
- Directive 2006/123/EC (2006) by the European Commission
- FIPS PUB 186-4, FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION: Digital Signature Standard (DSS) (2013) by Information Technology Laboratory National Institute of Standards and Technology (NIST), USA
- Bundesgesetz über Zertifizierungsdienste im Bereich der elektronischen Signatur (Bundesgesetz über die elektronische Signatur, ZertES) (2003) by Die Bundesversammlung der Schweizerischen Eidgenossenschaft
Image: "Keys", courtesy of EricChristensen, Flickr (CC BY 2.0)