Digital Signatures and Information Security

Finjan TeamBlog, Cybersecurity

Finjan Digital Signatures and Information Security

As online and electronic transactions gain as much or more validity than traditional paper-based ones, there’s an increasing need to ensure the authenticity and integrity of the various parties involved, the data and assets traded between them, and the overall security of the transaction process. One method used to accomplish this is the use of digital signatures.

What Are Digital Signatures?

As their name suggests, digital signatures are the bits and pixel-based equivalent of handwritten signatures and stamped seals. Analogous also to “electronic fingerprints,” digital signatures employ a mathematical process to encrypt and validate the authenticity and integrity of digital documents, messages, or software.

They’re a specialist form of electronic signature (eSignature, or e-signature), a broad category of techniques which allow people and organizations to sign documents and provide authentication for the entity who signs.

Digital Signatures – As Good as Paper?

When you consider that paper-based documents can be quite easily forged, tampered with, stolen, destroyed, lost, or simply refuted (with a good enough lawyer, and the right sort of evidence), then the relative permanence of the digital medium means that documents and files signed digitally have several advantages to offer.

  • Companies or individuals wishing to complete transactions don’t have to wait for physical documents to be brought to them by courier, or other means.
  • The costs associated with registered mail or courier services don’t come into the equation, with a digital signature transaction.
  • Documents can be digitally signed and transmitted to their destination in seconds.
  • With the necessary software and certification, digital signatures and their related documents may be created and viewed on desktop systems, laptops, or mobile devices.
  • In addition to their inherent security qualities (which we’ll discuss shortly), digitally signed documents are less likely than their paper-based counterparts to be read, altered, destroyed, or intercepted in transit.
  • The digital medium also makes it easier to track documents as they move from sender to recipient.
  • Digital signatures enable documents to be time-stamped at the point of signing, and provide undeniable evidence of the identity of the signatory.
  • In many jurisdictions, digitally signed documents are as admissible in court as paper-based ones.

How Do Digital Signatures Work?

Documents to be signed digitally are first prepared (e.g. as an email attachment, or PDF file) using client software on the sender’s machine, or through an online form or other procedure prescribed by a third party digital signature solution provider.

Asymmetric or public key cryptography is the basis for creating a digital signature. A public key encryption algorithm such as RSA is used to generate two mathematically linked keys. Digital signing software is employed to create a one-way hash (a special mathematical function) of the electronic information that will be signed.

The signatory’s private key (which they must keep safe with them at all times) is then used to encrypt the hash, using a function that can convert an arbitrary input such as a document or message into a much shorter value of fixed length. The document’s digital signature consists of this encrypted hash, together with other information such as the hashing algorithm. In essence, it’s encrypted data uniquely associated with the signed document – a sort of electronic fingerprint.

A time stamp is typically generated at the moment of signing, and provides historical evidence to the creation of the signature. Any changes observed in the document after this recorded time will invalidate the digital signature.

At the document’s destination, the receiver uses a public key (a copy of the sender’s own public key, transmitted by the sender) with which they will decrypt the digital signature via the same cipher used to generate the keys.

How Secure Are They?

In the public key encryption used for digital signing, the value of the generated hash is unique to the hashed data with which it’s associated. Any change in that data – even altering or removing a single character – would result in a different hash value. It’s this uniqueness that enables a recipient to validate the integrity of the information being sent, by decrypting the hash with the sender’s public key. A decrypted hash must match a second computed hash of the same data – which proves that the information hasn’t been altered since it was signed.

Digital signatures use an industry standard format known as Public Key Infrastructure (PKI), which sets out the parameters for public and private keys used in digital signature transactions. A private key remains the property and responsibility of the signatory, who does not share it with anyone, and only uses it to electronically sign documents. Public keys may be shared openly, and are used by recipients to validate a signatory’s electronic or digital signature.

The PKI standard also enforces requirements for the Certificate Authority (CA) that issues a digital certificate in respect of each transaction, requirements for end-user enrollment software, and the provision of tools for renewing, managing, and revoking certificates and keys. PKI is an internationally recognized encryption verification technology, under which digital signatures provide the highest and most verifiable standard for identifying an individual or corporate entity by electronic means.

Are They Truly Binding?

The majority of international governments now recognize and accept digital signatures as legally binding, though there are still some hold-backs and regional variations.

In the U.S., the Electronic Signatures in Global and National Commerce Act of 2000 is the most recent legislation pertaining to this issue. Countries like the U.S. the United Kingdom, Canada, and Australia which follow more open and technology-neutral eSignature laws have a more wide-ranging and open acceptance of digital signatures for all applications.

By contrast, many countries in Europe, Asia, and South America adopt a stepwise or tiered model of eSignature and digital signature implementation, based on locally defined or regional standards for digital signature technology. Some industries (notably the pharmaceutical and life sciences trades) support specific standards within their own sectors.

But in all cases where digital signatures are recognized, they are viewed as guarantors of the integrity of the data being sent, the authenticity of the sender’s identity, and as undeniable proof (non-repudiation) that the signatory is the original source of a document (and can’t claim otherwise, in court).

Are Digital Signatures and Digital Certificates the Same?

There’s often confusion as to the distinction between a digital signature and a digital certificate. The actual position is quite simple.

A digital certificate is an electronic document containing the public key associated with a digital signature, and also specifying the identity of the individual or enterprise associated with that key. The certificate is used to certify that the public key actually belongs to a specific person or organization.

Digital certificates are only valid for a specified time period, and must be issued by a recognized and trusted authority. They are necessary for the creation of a digital signature – but they aren’t the signature, itself.

What Role Do Certificate Authorities (CAs) Play?

A Certificate Authority or CA plays the role of the “recognized and trusted authority” that issues a digital certificate and guarantees the security of the private and public keys used in creating a digital signature. Both the sender of a document and the recipient who signs it must agree to use a given Certificate Authority.

Keys must be protected to ensure security and integrity, and to prevent forgery or malicious use by third parties. The person or enterprise signing or sending a document requires proof that the documents and keys were created securely and properly validated. A Certificate Authority is the third party which acts as a kind of Trust Service Provider to ensure key security, and the provision of the necessary digital certificates.

Any Drawbacks?

There are some issues to consider when using digital signatures, including:

  • The technology underlying the creation of a digital signature may be liable to becoming obsolete, over time.
  • There may be costs (for both senders and recipients) associated with purchasing digital certificates from trusted Certificate Authorities.
  • Signature verification software is also required for digital certificate transactions – and again must be purchased by recipients and senders.
  • In those territories where electronic and digital signatures aren’t officially recognized, parties should be cautious in the level of exposure they allow themselves in digital transactions.
  • In addition, the existence of several digital signature standards across the globe (many of which are incompatible with each other) may complicate the sharing and transmission of digitally signed documents.

Overall though, digital signatures are a secure, verifiable, legally admissible, and convenient method for document exchange and the rapid completion of all kinds of transactions.

Share this Post

Summary
Finjan Digital Signatures and Information Security
Article Name
A Closer Look at Digital Signatures and Information Security
Description
Digital signatures are a secure, verifiable, legally admissible, and convenient method for document exchange and the rapid completion of transactions.
Author
Publisher Name
Finjan
Publisher Logo
Finjan Digital Signatures and Information Security