What is digital signature ?
Digital signature is a method of proving the authenticity of a digital message or document. It is commonly used in electronic transactions to prove the identity of the sender. It also ensures that the message was not tampered with during transmission.
Digital signature uses mathematical schemes to prove someone’s ownership of some data using his private key- think of it as a cryptographic thumbprint.
In order to achieve this digital signatures are implemented using public-key cryptography.
How does Digital signature compare to paper signature ?
The biggest difference between a digital and a handwritten signature is trust. When you write a signature on paper, nobody is in a position to trust it but you. By this we mean that the person in question have no way to prove that you are the actual owner of the signature.
But when you use digital signing, anybody can virtually check the validity of the signature and the integrity of the signed document.
What is digital signature used for ?
Digital signature is used in so many fields like financial, medical and legal transactions. Financial institutions and payment networks can use digital signatures to authorize transactions in real-time. It prevents fraud and errors, and speeds up the transaction process. Digital signatures can also be used to verify identity on some websites and social networks.
They become a standard element for ID documents among many governmental institutions.
From a user’s point of view, the most important use of digital signatures is authentication: proving your identity to others.
Since digitally signed document are know recognized by many countries, governments use them more and more in online administrative services.
Note. In some countries the regulation process is still in progress or nonexistent. You should check the legal status in your country before assuming that it accepts digitally signed document in administrative applications.
Digital signing process
You may already use digital signatures in a daily basis without realizing it. And if you are here you’re maybe wondering how are digital signatures generated and used?
Let’s suppose that Bob wants to send a digitally signed document to Alice. Bob has a set of two keys : private key and a public key, also called key pair.
The key-pair is usually distributed and stored in the form of a digital certificate.
A private key always remain private. But in order to digitally sign a document for Alice, Bob needs to share his public key with her.
She will need it later on to verify the authenticity of the document and the signature.
Below are simplified steps of how the signing procedure is achieved :
- When the document is sent, its content is run through a hashing algorithm.
- The algorithm creates a unique array of data called a digest.
- The Digest is then encrypted with Bob’s Private Key, the result of this encryption is the so-called digital signature.
- The signature is finally attached to the document.
Any variation in the content of the document or in Bob’s private key would result in a different digest. So Alice can use the document and its digital signature to reverse the process and verify its legitimacy.
The process of verification is as follows :
- We generate a digest of the document using the same hash algorithm.
- We use the public key to decrypt Bob’s signature and extract the original digest.
- If the signature is untampered, the digest would also be exactly the same.
Note. The encryption process that uses public/private key pairs is called asymmetric cryptography. We’ll get to it later but for now all you need to know is that it’s an algorithm where the private key is only used to encrypt data, and public key only used to decrypt it.
How to obtain a public/private key pair ?
Some free software allow anyone to generate keys or certificates locally. While those can be used in some cases, they are not accepted by legal or governmental institutions.
In practice, the key pair is distributed in the form of a certificate delivered by a certificate authority.
Certificate authorities (CA) are the third party entities that guarantee the authenticity of distributed keys and bind them to their owner’s real identity. They are attached to a Root certificate authority which are recognized by most information systems.
Some countries like Estonia and Italy already started a large process of digital IDs distribution. Those modern ID cards integrate a certificate by default for every citizen.
Estonia went further by allowing anyone in the world to apply for e-residency. If your application is accepted, you get a digital ID card with a certificate ready to use for signature.
Daily internet transactions need trust and security, and digital signature is the most important element to enforce data integrity in most web transactions.
Additionally, many governments are adopting digital identity as a modern way to facilitate administrative procedures.
Understanding how this process works will help you in your online procedures and avoid scams by knowing how to identify untrusted entities