Digital signature: all you need to know
A digital signature is a method to verify the authenticity of digital messages or documents using a mathematical algorithm. It's useful for 3 main functions:
● Authentication. It can confirm that the message was sent by the claimed sender
● Non-repudiation. The sender cannot deny that the message was not sent by them
● Integrity. It proves that the data was not altered after it was sent
A digital signature is often used to validate digital contracts, financial transactions confirming the recipient that the data weren't tampered in the process. In the United States, Canada, Switzerland, and the European Union countries, such signatures have legal significance. When compared to handwritten signatures, it’s safer, and more environmentally friendly, saving tons of paper for companies.
How does digital signature work?
Digital signatures are verified using asymmetric cryptography keys in conjunction with mathematical functions. This is done by feeding the document’s data to a mathematical function that generates a string of numbers known as a hash value or message digest. If said numbers match on the receiver’s end, the document can be verified to be authentic. Here’s a step by step process for creating a digital signature:
- The sender generates two sets of keys: a public key (used by others to verify the document’s authenticity) and a private key (which is secret and only the sender knows it). This is usually done by opting for a digital signature provider.
- If a sender wants to digitally sign a document, he uploads it into the digital signature software. In which, it is run through a hash algorithm. This produces a hash value, which is encrypted with the sender’s private key. This makes a document digitally signed.
- Sender then sends both a document and a digital signature to the receiver (there’s no need for a document to be encrypted).
- When the receiver gets the digital signature, he will decrypt asymmetric cryptography using the sender’s public key, and get the hash value that the sender generated.
- The receiver then will feed the file to the same algorithm and will also get a hash value.
- If the sender’s and receiver’s generated hash values match, the document can be confirmed to be authentic. If they don’t match, the document likely was altered.
It’s important to note that in practice, the process of checking hash values is automated and built-in in many digital signature software tools. The software will automatically display matching errors on the screen. It’s more of an explanation of how the process works in the back end.
Another important thing is that the digital signature does not encrypt the document itself. Some software solutions offer this function, but encrypting and decrypting documents would take too much time and processing power. It’s much more efficient to encrypt just a hash value.
Types of digital signatures
Digital signatures come in three classes based on the layer of protection that they add.
A simple digital signature could also be called an electronic signature. It’s just a scan of a handwritten signature placed on top of the document. It isn’t protected by any encryption method, doesn’t show the signer’s identity or changes added after the document was signed. This also means that this type of signature could be very easily duplicated or faked. This isn’t recommended if you’re after security or legal significance, and it puts your personally identifiable information at risk.
Digital basic signatures differ from basic signatures by showing what changes were made to the file after the document was signed. However, this method isn’t encrypted and cannot guarantee that the document was signed by you. The signing process doesn’t require 2FA, so the documents signed this way do not hold legal significance.
Advanced or Qualified
Advanced, also known as Qualified digital signatures, use asymmetric cryptography with public key infrastructure. Digital signature providers allow for identity verification before the document can be signed. This imposed 2FA adds an electronic certificate that’s uniquely associated with the attached document and the identity of the signer. This dramatically reduces the possibility of identity theft.
How to create a digital signature?
To use the digital signature, you’ll first need to obtain a digital signature certificate from a reputable third-party certificate authority (CA).
Depending on the chosen CA, you may need to supply specific information. There may also apply some restrictions and limitations to whom you’ll be able to send or sign documents. These restrictions and requirements are called public key infrastructure that also allows the creation of digital signatures. This is what assigns the public and private keys.
In most cases, the process is massively streamlined by choosing digital signature providers that act as an intermediary.
Adobe Sign is a cloud-based service that allows users to send and receive digital signatures. It operates on a subscription-based model. The main features include:
● Signing forms with digital or electronic signatures
● Requests confirmations by e-signatures
● Creation of branded forms
If you want to digitally sign a document with Adobe Sign, you’ll need to click Review and select the Digital Signature option. From there, you’ll need to select a Signature source and select Name. Click Sign in, apply your signature. Authenticate with a PIN, and your document is sent.
Using DocuSign, signatures, and documents are uploaded into the provider’s cloud. Then they are encrypted, creating a unique hash. If a signed document is later checked and the hash will not match the information stored in the cloud, the file has likely been tampered with.
When you receive an email with a link to the document you need to digitally sign, here’s what you should do:
- Your document should open in their proprietary software, DocuSign
- You will be asked to agree to sign. After confirming the agreement, you should see options like Start or Sign
- Click each tag and follow the instructions to add your digital signature
- Verify your identity and follow the instructions to add your digital signature.
Secured signing is digital signatures management service. Its toolkit includes the digital signing of documents, email invitations for adding signatures, and form creation suite.
If you want to sign a document, here’s how to do it:
- Log in into your Secured Signing account and upload a document you want to sign
- Click, Sign to begin
- Find the page you want to be signed and Select your signature
- You can customize your signature from the tab
- Drag your signature block where you want it to be, then click Sign
- From there, it’s possible to email or download the document. It can be easily verified by uploading it to the same cloud and clicking Verify
Is digital signature secure?
As long as you keep your Private Key secure, your digital signature will be safe. Public key infrastructure generates two pairs of keys, the private key should be kept secret. Revealing it may compromise the authenticity of your digital signatures, which may be a precursor of social engineering attack.
How is digital and electronic signature different?
The digital signature is cryptographically verified with your private key. An electronic signature, however, is just a scan of your handwritten signature overlaid on top of an official document. In electronic signature vs digital signature debate, a digital signature is always a more secure option.
What is a Certificate Authority (CA)?
A certificate authority (CA) is an entity that validates identities and assigns them cryptographic keys under public key infrastructure.
Why would I use a digital signature?
Digital signature technology is widely adopted among organizations. There are different certificates for specific kinds of documents, and public key infrastructure ensures the enforceability and acceptance of it even in regional markets. It’s much more efficient at preventing forgery, saving you money and resources in the long run.
What is a digital certificate?
A digital certificate is an electronic document issued by the Certificate Authority. It contains the public key with an associated identity. It guarantees the legitimacy of a transaction because each certificate must be issued by a specific authority and is valid for a particular time. It’s impossible to create a digital signature without a digital certificate.
What is a qualified digital signature?
A qualified digital signature is a digital signature that is also compliant to EU Regulation No 910/2014 for transactions within the internal European market.