Before we begin or discussion on the digital signature let us first understand what is Signature, what does it stand for etc. .
A Signature is a handwritten and often stylized representation of someone’s name, initials, nickname or even a simple mark that a person uses on a document as a proof of identity an intent.
A signature is traditionally used to give evidence of:-
- The identity of a document and the individuals involved.
- The will and intent of the individual with regard to that document.
Thus a signature’s basic function is evidential, but may also be used for various other purposes such as the signatures of famous persons given to fans (autographs) more than providing authentication of any document, is generally given as a souvenier.
Now this “Signature” is given manually on a paper or document i.e. on basically a hard copy. Now in today’s age of modernization what if a particular document exists on the computer and needs to be “signed” by an individual before being, say distributed to other people?
The first thing that may come to mind is to print the document and sign the printed pages and then distribute the hard copies of the signed document.
However what if the recipients need the documents immediately and are geographically situated all over the world?
It would be nearly impossible to send the signed hard copies by post to all of them immediately within a very short notice.
Now all these problems could be avoided if and only if there was a possibility where one can sign the digital copy of the document “digitally” and then distribute this “digitally signed” copy to all the recipients over the digital media.
Here comes into picture the so called “Electronic Signature”.
Electronic signature is the signature done on any electronic message or document by any electronic means that indicates or states that the person who has signed, adopts or is responsible for the contents of the electronic message. More broadly speaking it is generally to perform the actions and roles that a traditional signature on a pen and paper performs, just on the electronic media.
In many countries such as the United States, the European Union and Australia, electronic signatures have the same legal consequences (when recognized under the law of each jurisdiction ) as the more traditionally forms of signatures.
Let us see what the Electronic Signatures in Global and National Commerce Act of United States say of electronic signature.
ESIGN Act Sec 106 definition say
(5) ELECTRONIC SIGNATURE– The term 'electronic signature' means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.
Thus essentially the electronic signature is very easy to implement. It can very well be the name typed in at the end of the document. But this brings in the biggest problems with regards to integrity and security, as there is nothing to prevent one individual from typing another individual’s name. Hence a simple electronic signature, without implementing other additional security measures, is not considered as a secure way of signing documents.
Thus to securely sign an electronic document came into use “Digital Signature”.
A digital signature is essentially a "secure" electronic signature which uses encryption and passwords and other methods to protect the integrity of the signature and also guarantee the authenticity of the party who signed it. A digital signature is an electronic signature, but an electronic signature is not necessarily a digital signature. "Digital Signature" is simply a term for one technology-specific type of electronic signature. A digital signature uses a digital certificate, which is a type of key or code utilizing cryptographic algorithms to assure the integrity and authenticity of electronic media and the information within. The digital signature generates an electronic “fingerprint” of the electronic message which is unique to both the document and the signer and binds them both.
The digital signature ensures the authenticity of the signer as it is unique to the signer. Also any changes made to the document after it is signed invalidate the signature, as it is also unique for each document, thereby protecting against signature forgery and information tampering.
So much so for what digital signatures are. Now comes the point on how do a digital signature work.
Let us take the classic example of Bob and Alice, where Bob is the sender and Alice is the receiver.
Lets first see it from Bob’s perspective. How do Bob essentially sign a document.
In order for Bob to electronically sign documents with standard digital signatures, he needs to obtain two keys a Private and Public Key – which is a one-time setup/operation. The Private Key, as the name implies, is not shared and is used only by the signer (here by Bob) to sign the documents. The Public Key, also as the name implies, is openly available and used by those that need to validate the signer's digital signature (in this case Alice).
Now comes the part where Bob actually signs the document with the help of his private key. First bob would generate a unique fingerprint of the document (hash result of the document) using mathematical algorithms like SHA-1. This fingerprint is different for each different document and even the same document with a slightest change would create a different fingerprint for each of the documents. Then the fingerprint of the document (hash result) along with the digital certificate of Bob, which contains the Public key of Bob, are combined into a digital signature (this is done by encrypting the hash result of the document by Bob’s Private key). This signature is unique to both Bob and the document.
Finally Bob will now append this digital signature to the document and send it to Alice.
Now let us see what happens when Alice receives the digitally signed document from Bob.
Alice after receiving the document from Bob, decrypts his signature using Bob’s Public key which was provided in the signature within the Digital Certificate and hence gets the document hash provided by Bob.
Alice now using the same mathematical algorithms as used by Bob will calculate the fingerprint of the document i.e. the document hash of the received document. She will now compare her own hash with that of Bob’s and if they are same then the document was not altered.
But this process just solves just one problem, i.e. we can now be sure of the integrity of the document. However there remains still another aspect.
Alice is still not sure whether Bob is indeed the same person with whom she intends to conduct business with or to say simply someone else may be impersonating Bob.
To overcome this problem i.e. to be sure of Bob’s identity Bob needs to be certified by a trusted third party. This third party would run all the checks and ensure that Bob is indeed the person who he claims to be. These trusted third parties are called Certificate Authorities (CA). They issue certificates to ensure the authenticity of the signer. Certificates can be compared to passports issued by countries to their citizens for world travel. When a traveller arrives at a foreign country, there is no practical way to authenticate the traveller’s identity. Instead, we trust the passport issuer and use the passport to authenticate its holder. In the same way Alice uses the CA's certificate for authenticating Bob's identity.
In this way both integrity and authentication of a digital message or document can be ensured with the help of Digital Signatures.
Thus with the help of a combination of different security policies and methods today we are able to bridge the distance between real world and the digital world, like the ink-on-paper signature and the digital signature. However differences will remain. Each feature will have its own pros and cons. We will have to decide which one to use based on the time, need and location.
That’s all folks.