Digital Signatures

A digital signature is a type of electronic signature created when a signer authenticates their identity using a digital ID based upon a digital certificate. A digital signature provides confirmation that the information originated from the signer and has not been changed or altered. The digital signature directly associates the signer with a specific document in a recorded transaction.

You can think of digital signatures as a type of electronic fingerprint. The electronic fingerprint is unique to a specific person or entity. It can be used to identify the users and to protect the information within digital documents. Digital signatures are the most secure form of electronic signature.

Digital signatures are a form of electronic signature. Not all electronic signatures are digital signatures. In general, electronic signatures can include various digital information but not the cryptographic integrity provided by a digital certificate, making digital signatures unique among electronic signatures in their security and integrity. 

Digital signatures work by proving that the digital message is unmodified from when it was signed and sent. Digital signatures generate a unique hash and encrypt it with the sender’s private key. The hash generated is always unique to the message. 

Then the message is digitally signed and sent to the intended recipient. The recipient then generates a hash of the message and decrypts the sender’s hash, which was part of the original message. This is done using the sender’s public key. The recipient then compares their generated hash value to the sender’s original hash once decrypted. The machine hash value indicates that the message has not been tampered with and that the sender is authenticated.

Benefits of Digital Signatures

• Security.  Enhanced security is a key and primary benefit of using digital signatures. Digital signatures help ensure a document is not modified and that the signatures are genuinely legitimate—cost savings. As a result, organizations can go paperless and save money previously spent on the physical resources and on the time, personnel, and office space used to manage and transport them.
• Environmental Impact – Save the Forests! Reducing paper cuts down on environmental impact and waste. Unfortunately, millions of paper are produced and consumed annually worldwide, contributing to environmental problems and expenses.
• A Respected International Standard. Since PKI is an international standard, many countries accept digital signatures as legally binding.

• Timestamping. Correct date and time are critical for many types of transactions.
• Audit Trail. Digital signatures provide a clear audit trail. As a result, there is less opportunity for error or misinterpretation.

These are important terms that relate to the functionality of the infrastructure and technology that is used to support digital signatures:

• Public critical infrastructure (PKI) is the infrastructure of personnel and technology that support the creation and distribution of public keys and the validation of people and entities with digital certificates through a supporting certificate authority. Each digital signature transaction must include a pair of valid keys. One is the private key, and the other is the public key. PKI also manages the Certificate Authority, some form of enrollment software, the digital certificates, and tools for the management, issuance, renewal, and revocation of keys and digital certificates. 
• A hash function is a fixed-length string of characters generated by the hashing algorithm and the associated file data. This generated string is unique to the file being hashed. It is considered a one-way function because a computed value cannot be reversed to find the other files that may produce the same hash value. Many hash generation algorithms are used successfully. Three that are predominant in use are Secure Hash Algorithm-1 (SHA-1), Secure Hashing Algorithm-2 family (SHA-2 and SHA-256), and Message Digest 5 (MD5).
• Certificate authority (CA) is a trusted entity that provides for the authentication of a person’s identity. They are accepted as reliable for managing and protecting key security and have the capacity to issue the necessary digital certificates when they are required. Of course, both the sender and the recipient must agree on using a specific CA. Once a CA authenticates a person’s identity, the CA issues a digital certificate digitally signed by the CA. The digital certificate can further verify a person or entity associated with a public key when requested.

Digital certificates are like passports. A digital certificate’s purpose is to identify a certificate’s holder authoritatively. Digital certificates contain the public key of a person or entity and are signed by the CA. 

Pretty Good Privacy (PGP) is an alternative to PKI.  Digital signatures are relatively strong if they are used with PKI or PGP. Therefore, PGP and PKI are essential to provide positive proof to verify the sender’s identity and identity.

An Example Using Digital Signatures

For example, the buyer signs an agreement to buy a car using their private key. The automotive dealer receives the document. The automotive dealer also gets a copy of the buyer’s public key. If the public key can’t decrypt the signature (via the cipher from which the keys were created), it means the signature does not belong to the buyer or has been compromised since it was initially signed. Then the signature is then identified as invalid.

Regulations on Electronic Signatures

In 2,000, the U.S. passed the Electronic Signatures in Global and National Commerce Act (ESIGN). ESIGN, in conjunction with the Uniform Electronic Transactions Act (UETA), enables parties that choose to sign digitally using electronic signatures as legally binding. Electronic signatures are valid in every state in the U.S. and generally have the same legal weight as a handwritten signature. 

There are a few exceptions. These are documented by the National Telecommunications Information Administration (NTIA), which is part of the Department of Commerce. Note that electronic signatures may not be legally valid when signing wills and trusts, divorce or adoption papers, official court documents, termination of life insurance policies, a notice of foreclosure or eviction, and other exceptional cases.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.