Categories: Digital IDSecurity

What is a digital signature? Fundamental principles

Private companies and governments agencies all around the word make huge investments for the automation of their processes and in the management of the electronic documentation.

The main requirement in the management of digital documentation is its equivalence, from a legal perspective, to paperwork, affixing a signature on a digital document is the fundamental principle on which are based the main processes of authorization and validation, apart from the specific area of ​​application.

Main benefits for the introduction of digital signing processes are cost reduction and complete automation of documental workflow, including authorization and validation phases.

In essence, digital signatures allow you to replace the approval process on paper, slow and expensive, with a fully digital system, faster and cheaper.

 

Figura 1 – Digital document lifecycle

 

The digital signature is simply a procedure which guarantees the authenticity and integrity of messages and documents exchanged and stored with computer tools, just as in traditional handwritten signature for documents. Essentially The digital signature of an electronic document aims to fulfill the following requirements:

  • that the recipient can verify the identity of the sender (authenticity);
  • that the sender can not deny that he signed a document (non-repudiation);
  • that the recipient is unable to invent or modify a document signed by someone else (integrity).

A typical digital signature scheme consists of three algorithms:

  1. an algorithm for generating the key that produces a key pair (PK, SK): PK (public key, public key) is the public key signature verification while SK (Secret Key) is the private key held by the petitioner, used to sign the document.
  2. a signature algorithm which, taken as input a message m and a private key SK produces a signature σ.
  3. a verification algorithm which, taken as input the message m, public key PK and a signature σ, accepts or rejects the signature.

To generate a digital signature is necessary to use the digital asymmetric key pair, attributed unequivocally to a person, called holder of the key pair:

  • The private key is known only by the owner, it is used to generate the digital signature for a specific document;
  • The public key is used to verify the authenticity of the signature.

Once the document is signed with the private key, the signature can be verified successfully only with the corresponding public key. Security is guaranteed by the impossibility to reconstruct the private key (secret) from the public, even if the two keys are uniquely connected.

Digital Signature Process

A Digital signature is a one-way hash, of the original data, that has been encrypted with the signer’s private key. A digital signature process is composed by the following steps:

  • The signer calculates the hash for the data he needs to sign. The message digest is a file size small (160-bit SHA-1 now deprecated, with 256-bit SHA-256) that contains some sort of control code that refers to the document. The hash function is produced minimizing the likelihood to get the same value of the digest from different texts and is also “one way” function: this means that from calculates hash it is impossible to get back the original text.
  • The signer, using his private key, encrypt the hash calculate.
  • Signer sends the original data and the digital signature to the receiver. The pair (document and signature) is a signed document or a document to which was attached a signature. The document is in clear text but it has the signature of the sender and can be sent so that it can be read by anyone but not altered since the digital signature guarantees also integrity of the message.

For the verification, The receiving software first uses the signer’s public key to decrypt the hash, then it uses the same hashing algorithm that generated the original hash to generate a  new one-way hash of the same data. The receiving software compares the new hash against the original hash. If the two hashes match, the data has not changed since it was signed.

Figura 2 – Digital Signature Process

The authenticity of a document can be verified by anyone decrypting the signature of the document with the sender’s public key, obtaining the fingerprint of the document, then comparing it with that obtained by applying the hash function (which is known) to the document received which was attached the signature. If the two fingerprints are equal, the authenticity and integrity of the document are demonstrated.
The signing and verification operations may be delegated to a schedule issued by the certification.
Thanks to the mechanism shown, the digital signature ensures non-repudiation: the signer of a document transmitted cannot deny having sent it and the receiver can deny to have received it. In other words means that the information cannot be ignored, as in the case of a conventional signature on a paper document in the presence of witnesses.

The advantages of digital signatures
The activation of a fully automated workflow, digital signatures, reduce time and costs associated with the signatures on paper, the latter in fact have an economic cost and create delays and inefficiencies.
An estimate provided by ARX on the basis of current data sets that each of their clients handwritten signature on a paper document to determine the company at a cost of $ 30 U.S including costs associated with paper, printing costs, of signing, scanning, forwarding, storage and regeneration of lost or missing documents. According to the study of ARX, a person authorized to sign documents marking more than 500 documents a year.

The digital signatures process is essential for the formal approval processes of every companies, a typical scenario require multiple authorization of multiple offices for each document.

Thus digital signatures allow alternate approval processes, collaboration and delivery of paper (expensive and slow), with a digital system (faster, cheaper and more efficient).This results in a number of advantages:

  • improved operational efficiency, reduce cycle time and elimination of costs;
  • risk mitigation, compliance assurance, data quality and long-term storage of files;
  • increase the competitiveness and service levels.

Resuming, digital signatures can reliably automate the signatures of authorization allowing the elimination of paper, reducing costs and improving the speed of production processes.
By virtue of all these advantages, the digital signature can be particularly useful for:

  • Government agencies in regulated sectors with workflows subject to formal approval;
  • organizations must submit documents that need to be approved by various offices;
  • representatives of organizations that use, or services that require commercial building and the provision of reports or contracts signed;
  • Away from executives such as a signature is required to activate the processes;
  • organizations which cooperate with external partners and require approval for workflows;
  • Web portals with external modules that require compilation and signing.
  • Note that the type of documents to which to apply the digital signature is particularly composite, and includes:
  • sales proposals, contracts with customers.
  • purchase orders, contracts / agreements with partners.
  • contracts, agreements, acts of the board.
  • leases, contracts, expense reports and reimbursement approvals.
  • Human Resources: Documentation of employment of employees, presence control cards.
  • Life Sciences: Questions and proposals, QC records, standard operating procedures (SOPs), policies, work instructions.
  • Mechanical work: drawings, sketches, plans, instructions and relations of production.
    health services: medical and patient consent forms, medical exams, prescriptions, laboratory reports.

Pierluigi Paganini

 

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

LockBit claims the hack of the US Federal Reserve

The Lockbit ransomware group announced that it had breached the US Federal Reserve and exfiltrated…

3 hours ago

Ransomware threat landscape Jan-Apr 2024: insights and challenges

Between Jan and Apr 2024, the global ransomware landscape witnessed significant activity, with 1420 ransomware…

4 hours ago

ExCobalt Cybercrime group targets Russian organizations in multiple sectors

The cybercrime group ExCobalt targeted Russian organizations in multiple sectors with a previously unknown backdoor…

5 hours ago

Threat actor attempts to sell 30 million customer records allegedly stolen from TEG

A threat actor is offering for sale customer data allegedly stolen from the Australia-based live…

15 hours ago

Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

1 day ago

Threat actors are actively exploiting SolarWinds Serv-U bug CVE-2024-28995

Threat actors are actively exploiting a recently discovered vulnerability in SolarWinds Serv-U software using publicly…

1 day ago

This website uses cookies.