Document Infrastructure
A digital signature is a mathematical technique used to validate the authenticity and integrity of a digital document, message or software. It’s the digital equivalent of a handwritten signature or stamped seal, but it offers far more inherent security. A digital signature is intended to solve the problem of tampering and impersonation in digital communications.
How do digital signatures work?
Digital signatures are based on public key cryptography, also known as asymmetric cryptography. Using a public key algorithm — such as Rivest-Shamir-Adleman, or RSA — two keys are generated, creating a mathematically linked pair of keys: one private and one public.
Digital signatures work through public key cryptography’s two mutually authenticating cryptographic keys. For encryption and decryption, the person who creates the digital signature uses a private key to encrypt signature-related data. The only way to decrypt that data is with the signer’s public key.
If the recipient can’t open the document with the signer’s public key, that indicates there’s a problem with the document or the signature. This is how digital signatures are authenticated.
Digital certificates, also called public key certificates, are used to verify that the public key belongs to the issuer.
Digital certificates contain the public key, information about its owner, expiration dates and the digital signature of the certificate’s issuer. Digital certificates are issued by trusted third-party certificate authorities (CAs), such as DocuSign or GlobalSign, for example. The party sending the document and the person signing it must agree to use a given CA. Digital signature technology requires all parties trust that the person who creates the signature image has kept the private key secret. If someone else has access to the private signing key, that party could create fraudulent digital signatures in the name of the private key holder.
How do you create digital signatures?
To create a digital signature, signing software — such as an email program — is used to provide a one-way hash of the electronic data to be signed.
A hash is a fixed-length string of letters and numbers generated by an algorithm. The digital signature creator’s private key is used to encrypt the hash. The encrypted hash — along with other information, such as the hashing algorithm — is the digital signature.
The reason for encrypting the hash instead of the entire message or document is because a hash function can convert an arbitrary input into a fixed-length value, which is usually much shorter. This saves time, as hashing is much faster than signing.
The value of a hash is unique to the hashed data. Any change in the data — even a modification to a single character — results in a different value. This attribute enables others to use the signer’s public key to decrypt the hash to validate the integrity of the data.
If the decrypted hash matches a second computed hash of the same data, it proves that the data hasn’t changed since it was signed. But, if the two hashes don’t match, the data has either been tampered with in some way and is compromised or the signature was created with a private key that doesn’t correspond to the public key presented by the signer. This signals an issue with authentication.