• About Us
    • PRODUCTS

  • Blog
  • Contact
Blog Security What Is a Digital Signature and How It Works?

DATE:

FEBRUARY 15 2023

AUTHOR:

Table of Contents

Understanding Digital Signatures

A digital signature is similar to a regular signature on a printed document. It is created using cryptographic algorithms. A digital signature confirms the authenticity and integrity of the signed object.

What Are Digital Signatures?

For a document to become legally binding it must be signed. Paper documents are signed by one’s own hand and for digital documents an electronic or digital signature is used – unique digital information in the form of a combination of characters. From this information you can find out exactly who and when signed the document. Thus, digital signatures are an official legally approved analogue of handwritten signatures, which are used to sign digital documents and certify paper documents converted into digital format.

Technically a digital signature certificate is obviously different from a handwritten signature, but it serves the same purpose to identify the signer. Such a signature is created using special software tools, it is always unique and cannot be faked. When a digital document is signed, changes or additions are no longer available, therefore the document cannot be faked – you can only create a new one.

What Is the Importance of Digital Signatures?

While the paper document can be  easily lost, a digitally signed document is fully protected from any malicious actions and can have any number of backup copies. The emergence of digital signature technology led to the appearance of the first systems of legally significant electronic document management. Taxpaying enterprises were able to submit reports assured with a digital signature to the tax authorities via the Internet. .Bank-Client systems have also become very popular. Various organizations are currently using  such systems to make electronic money transfers where payment orders are signed with digital signatures. All recorded transactions are stored in a database to keep a track of every money movement.

Enterprises maintain a full-fledged digital legally significant document flow between themselves or regulatory authorities. The digital signature technology has freed everyone from the obligation to maintain paper documents, thus the business has new opportunities to develop in various, even the most remote, regions.

The definition of uniform requirements for a digital signature was the first important step towards creating a single unified information space in which the forms and formats of documents, requirements, roles, powers, responsibilities – all participants in the interaction, including the information systems themselves – would be clearly defined.

What’s the Difference Between a Digital Signature and an Electronic Signature?

Digital signatures are an advanced form of electronic signatures with enhanced security features. These features ensure the authenticity of the signer and the fact  that the document has not been tampered with. When the document is signed by the ES a certificate is generated issued by the official certification authority – CA. This certificate is unique for each signer and can be used to verify it. There are other security features available depending on which e-signature solution you choose.

Both digital and electronic signatures are legally binding, but digital signatures are more secure. The decision which kind of signature to use depends on the type of documents you need to sign and on the country in which you sign them.

Different countries have different criteria regarding the level of security required for different types of legal documents and agreements. For example, it may turn out that an employment contract is suitable for an electronic signature, while a lease agreement requires a digital signature.

Classes and Types of Digital Signatures

There are three types of digital signing based on electronic identity and eIDAS -electronic IDentification, Authentication and trust Services:

Simple or Basic electronic signature, BES – these are types of electronic signatures confirming the acceptance or approval of the agreement’s signer. Verification of the identity of the signatory in such a signature is not required. No special software is required either. An example of such a signature is a license agreement acceptance.

Advanced electronic or digital signature, AdES – The signature must meet specific requirements that provide a higher verification level of the signer’s identity, improved security and protection against unauthorized access. The identity of the signatory is verified but not guaranteed. Multi-factor authentication is optional. It usually requires a special device to create a secure signature. Biometrics is an example of such a signature.

Qualified advanced electronic or digital signature, QES – advanced electronic signature technology with a digital certificate encrypted by a secure signature device. It has a special legal status in the EU and has the highest levels of security. It guarantees a100% identification of the signatory. An initial personal verification of the signatory with a multi-factor authentication is mandatory.. A Qualified Signature Creation Device (QSCD) or a Qualified Trust Service Provider (QTSP) is required. The burden of proving the validity of a signature lies with the party contesting the signature. Examples of suchsignatures are smart cards and USB tokens that provide the signer’s private key security and store the personal digital certificate.

How Does Digital Signature Work?

The digital signatures provide the user with irrefutable information about the signature creator and the authenticity of the signed content. In other words, it proves:

  • The identity of the creator of the document, email, file, or other item in question.
  • The authenticity of the message. This means that the document, email, file, or software has not been changed since it was signed.
  • The digital signature can be easily verified by the recipient’s computer or server and is impossible to forge.

 

Digital signatures are a key component of various types of PKI digital certificates. They work on the principle of the asymmetric cryptography. That is when the document is encrypted with the private key and decrypted with the public key.

The process of a digital signature when signing a document is carried out in several stages:

  1. The result of cryptographic hash function of the document is encrypted with the private key.
  2. The resulting signature is added to the document.
  3. A verification certificate is attached to the document.


Since the certificates issued by the certification center are also signed using electronic signatures, it is impossible to replace or fake the certificate. On the site of the certification center, as a rule, you can download the public verification key, the hash of which must match the hash of the owner’s public key -this proves its authenticity.

What Are the Benefits of Digital Signatures?

The use of large volumes of different digital signature transactions pursues the following goals in the electronic economy:

  • Full control over the admissibility of an electronic payment document. In case of any accidental or intentional change of the document, the digital signature is invalid because it is calculated by a special mathematical algorithm based on the initial state of the document.
  • Effective protection against changes (forgery) of the document. The digital signature guarantees that all kinds of forgeries will be detected during the integrity control. As a result, falsification of documents becomes impractical in most cases.
  • Fixing the impossibility of disclaiming the document’s authorship. This aspect follows from the fact that it is possible to re-create a correct digital signature only in case of possession of the so-called private key, which, in turn, should be known only to the owner of this very key – the author of the document. In this case, the owner will not be able to form a refusal of his signature, and therefore – of the document.
  • Confirmation of document authorship. It is based on the fact that it’s possible to create a correct digital signature only by knowing the private key. It should be known only to the owner/author of the document, thus the owner of the key can unambiguously prove his authorship of the signature under the document. Only certain fields of the document, such as “author”, “changes made”, “time stamp”, can be signed in the document.
 

Uses for Digital Signatures

The properties of digital signatures mentioned above make them invaluable  in the modern digital economy. The digital signatures are used in the following areas among many others:

  • Banking payment systems.
  • Electronic commerce.
  • Electronic registration of real estate transactions.
  • Customs declaration of goods and services.. 
  • Management of government orders.
  • Formation of mandatory tax, budgetary, statistical and other reporting to government agencies and non-budgetary funds.
  • Organization of legally legitimate intra-corporate, intra-industry or national digital document management. 
  • Application in various settlement and trading systems.
  • Management of share capital and equity participation.
  • Electronic signatures are one of the key components in blockchain and cryptocurrency transactions.

Why Use PKI or PGP with Digital Signatures?

PGP (Pretty Good Privacy) and PKI (Public key infrastructure). Confirmation of identity or message – the main purpose of these systems – is implemented using a bundle of digital certificates: digital signature, public and private keys. This is common for both systems. The main feature of PKI methodology, unlike PGP, is the presence of components known as a Certificate Authorities (CA) and a Registration Authorities (RA). Thanks to them, it is possible to confirm the authenticity of the identity by third-party authorized organizations.

The presence of CAs and RAs has led to the fact that in the PKI system the dominant direction of authentication is the vertical or hierarchical component when the certificate is confirmed by someone with a higher status. On the other hand, the PGP system has a predominantly horizontal hierarchy structure , or in other words, the “direct trust” scheme. Although, in both systems both vertical and horizontal authentication is possible. Figuratively, one can imagine that in PKI trust is distributed in the form of a tree, and in PGP – in the form of a network.

How Do You Create a Digital Signature?

Any digital signing process, to one degree or another, is in line with the general algorithm:

First, we need too get hash from file that we want to sign. This value will be unique and fixed-length string, that is added to the document information. It is important, that if we try to get hash value from this file again, we will get the same value. But we can not get the file from the hash or get the same hash from another file.

Once we get an encrypted hash value using the encryption key of the document’s digital certificate, we have created a digital signature. For greater reliability, you can also insert the exact date and time the signature was created into it.

We send the recipient our public encryption key and certificate along with a file and its digital signature. The recipient will need to use public key of a signee to create a hash value of the received document and compare it with the hash value in the digital signature. This will let the recipient  know if the file is genuine and has not been changed since it was signed. If the file has been modified its hash value will also change  and won’t match the one in the signature.

Conclusion

Digital signature technology is a key component of modern cybersecurity systems. From company electronic document flow to online banking, everyone is relying on digital signatures as a means to enforce the security of a digital workflow. Therefore, it is extremely important to properly create systems that use digital signatures and guarantee private keys security. Helenix is a company with a long history in data protection and cryptography. Our expertise will help you implement digital signatures in a secure and convenient way. You can get acquainted with the authentication solutions in the Custom Development section.

FAQ

A digital signature is similar to a regular signature on a printed document. It can be created for any digital document using cryptographic methods. A digital signature confirms the authenticity and integrity of the signed object.

Digital signature allows you to perform all signing operations remotely and from any device. Organizations are moving to digital signature software solutions to reduce paper usage, cut costs and improve business process efficiency and security.

Public Key Infrastructure PKI is a set of measures and policies that enables to deploy and manage public key cryptography and digital certificates. In addition to being a key store for your browser to secure the personal Internet connections, PKI also provides protection for various infrastructures, including internal communication within organizations, the Internet of Things and so on.

The CA is implemented as a trusted component of the global directory service and is responsible for managing users’ cryptographic pairs of keys. Public keys and other information about users are stored by Certification Authorities in the form of digital certificates.

A digital certificate is an electronic or printed document issued by a Certification Authority that confirms the ownership of a public key and any additional attributes by the owner.