In the fast-paced world of business, there is always the need for speeding up various processes that are integral for optimizing efficiency, while still protecting the privacy of the business and its clients/customers. The use of digital signatures has continued to grow as a means of meeting the need for faster and more secure authentication that cannot be easily forged or compromised.

Consider how important and time-sensitive documents have been signed in the past. The user would first need to obtain the documents to be signed by means of receiving a paper document by mail or printing the document from a designated online source. The document would need to be physically signed and then returned to its originator. This caused the user to complete the process offline, which would involve other physical processes that could be considered time-consuming and costly in returning the signed document and then the additional steps that were needed to verify the signature. However, with the use of digital signatures and the WYSIWYS experience, the user can now securely access, view and sign documents online, thus eliminating the need for most offline steps.

A more secure way to authenticate a signature

Digital signing is now used as an accepted means for producing signatures that are considered legally binding in many countries, including members of the European Union (EU), Saudi Arabia and the United States. When a digitally signed message has been received, the receiver has valid reason to believe that the message has originated from the designated sender, even if it has been relayed through a nonsecure channel.

In many cases, a digital signature is a legally accepted alternative to a handwritten signature or official seal certifying the authenticity of the signature. This makes its use beneficial for many governments, businesses and agencies for use with signing documents or messages related to e-commerce, regulatory filings, banking and contracts, in addition to numerous other applications where a verifiable signature is required.

The process of digital signing

There are typically three algorithms involved with the digital signature process:

• Key generation – This algorithm provides a private key along with its corresponding public key.
• Signing – This algorithm produces a signature upon receiving a private key and the message that is being signed.
• Verification – This algorithm checks for the authenticity of the message by verifying it along with the signature and public key.

The process of digital signing requires that the signature generated by both the fixed message and private key can then be authenticated by its accompanied public key. Using these cryptographic algorithms, the user’s signature cannot be replicated without having access to their private key.

By applying asymmetric cryptography methods, the digital signature process works to prevent several common attacks where the attacker attempts to gain access through the following attack methods:

• Key-only – Attacker has access to the public key
• Known message – Attacker has access to valid signatures for known messages, but not those that they have chosen
• Adaptive chosen message – Attacker gains access to signatures on various messages that they have chosen

Reasons to consider implementing the digital signature process

Aside from facilitating business processes and preventing the forgery of critical messages and documents, the use of digital signing provides additional validation benefits. In the case where an assurance is needed that a message or an accompanied document has not been altered during transmission, a digital signature will prevent unknown alterations from going unnoticed. If the digitally signed content is altered, the signature will be invalidated, thus alerting the sender and receiver of a breach. This is because the applied cryptographic functions will prevent a new and valid signature from being produced for that message.

When non-repudiation is enabled, the sender of the message cannot deny digitally signing the message at a later date. The receiver or other who gain unauthorized access to the message are also prevented from creating a fake signature. Most non-repudiation methods provide a time-stamp that cannot be altered and provide evidence of the digital signature in the event that the private key has been compromised or revoked. 

References and further reading

•  COMMISSION DECISION setting out measures facilitating the use of procedures by electronic means through the ‘points of single contact’ under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market (2009) by the European Commission
• Directive 2006/123/EC (2006) by the European Commission
• FIPS PUB 186-4, FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION: Digital Signature Standard (DSS) (2013) by Information Technology Laboratory National Institute of Standards and Technology (NIST), USA
• Bundesgesetz über Zertifizierungsdienste im Bereich der elektronischen Signatur (Bundesgesetz über die elektronische Signatur, ZertES) (2003) by Die Bundesversammlung der Schweizerischen Eidgenossenschaft