Table of contents
What is a digital signature? And an electronic signature? Would you know how to recognise the main differences? These two terms refer to different types of signatures. However, many people who are interested in our services are unsure about their main characteristics.
In this post we want to clarify what a digital signature is so that everyone knows what it can be used for and the characteristics associated with it.
Digital and electronic signatures are often used as synonyms, but not all types of electronic signatures have the same security features as truly digital signatures.
In many online articles these two concepts are used interchangeably and this creates confusion when trying to understand what each one is and why they are different to each other.
For both companies and individuals, it is important to know and understand the characteristics and implications of using each type of signature, because each one has some associated risks in terms of security, privacy of information and compliance with the law.
What is a digital signature?
A digital signature, which should not be confused with a digital certificate, is a mathematical technique used to validate the authenticity and integrity of a message, software or a digital document.
A digital signature, as opposed to a traditional signature, is not a name but two “keys” or sequences of separated characters. It applies cryptographic measures to the content of a message or document in order to show the following to the message’s recipient:
- that the sender of the message is real (authentication);
- that the sender cannot deny that they sent the message (non-repudiation);
- that the message has not been altered since it was sent (integrity).
A digital signature is therefore a key part of the advanced electronic signature and qualified electronic signature, but not of the simple electronic signature. A simple electronic signature would be, for example, a personal identification number (PIN) entered at a cash machine or clicking on “accept” or “do not agree” on a “terms and agreements” electronic contract.
This type of electronic signature cannot attribute the electronic signature of a signatory to a specific signatory, therefore, it is does not have the same features as a digital signature.
All digital signatures are electronic, but not all electronic signatures are digital.
A digital signature is legal, but its aim is not to attest to the signatory’s willingness like an electronic signature, but just to encrypt the data of a document to give it greater security.
Also a digital signature can be used for a wider range of file types, such as videos, sound, music, etc., making it more versatile than the traditional paper signature.
How do digital signatures work?
Digital signatures are based on public-key cryptography, also known as asymmetric cryptography. Normally there are three algorithms involved in the digital signature process:
- Creation of two keys that are mathematically linked: an algorithm provides a private key together with its corresponding public key.
- Signature: this algorithm produces a signature when a private key and the message that is being signed is received.
- Verification: this algorithm checks the authenticity of the message verifying it together with the signature and the public key.
The first thing we should know if we want to understand what a digital signature is, is the term hash. The hash functions are algorithms that are created from an input (be it text, a password or a file for example) an alphanumerical output of usually a fixed length that represents an overview of all the information that it has been given. Meaning, the data input creates a chain that can only be created again with the same data.
To create a digital signature, the signature software creates a one-way hash of the electronic data that needs to be signed. The private key is used to encrypt the hash. The encrypted hash together with other information is the digital signature.
Any change to the data, even changing or removing just one character will result in a different value. This allows others to validate the integrity of the data by using the signatory’s public key to decrypt the hash.
If the decrypted hash coincides with a second hash calculated from the same data, it proves that the data has not changed since it was signed. If the two hashes do not coincide, the data has been altered in some way (integrity) or the signature was created with a private key that does not correspond to the public key presented by the signatory (authentication).
The digital signatures make it difficult for the signatory to deny having signed something (non-repudiation), assuming that their private key has not been compromised, as the digital signature is unique both for the document and the signatory, and they go together.
A digital certificate, an electronic document that contains the digital signature of the certificate authority, links a public key with an identity and can be used to verify that a public key belongs to a specific person or entity.
Digital signatures are widely used to test the data’s authenticity and integrity and non-repudiation of communications and transactions made online.
Reasons to consider using the digital signature process
The most common concerns that people and organisations have with paper documents are: is the person that signed the document the person they say they are? How can I check that the signature is valid and has not been forged? How can I check if the document has been changed?
As well as making business processes easier and preventing the falsification of messages and key documents, using a digital signature provides additional validation benefits. When you need a guarantee that a message or attached document has not been altered during the transfer, a digital signature helps to avoid unknown alterations going unnoticed.
If the digitally signed content is altered the signature will be invalid, which will notify the sender and the recipient of an infringement. The cryptographic features will avoid a new and valid signature being produced for this message.
When non-repudiation is provided, the message’s sender cannot deny the message’s digital signature at a later date. The recipient or someone who obtains unauthorised access to the message cannot create a false signature.
Most of the non-repudiation methods provide a time stamp that cannot be altered and provide evidence of the digital signature in case the private key has been compromised or revoked.
Conclusion, the digital signature verifies and ensures the following:
- The document is authentic and comes from a verified source.
- The document has not been manipulated since it was digitally signed.
- Its identity has been verified by a trusted organisation (the CA).
If you want more information, get in touch with us through the following form, or call us directly on +34 960 03 12 03.