Business

What is a Digital Signature and how does it work?

Mar 22, 2020

The Rise of Digital Signatures

Digital signatures have been steadily increasing in popularity as an alternative source for authentication. Because of the innovation in cloud-based technology and prominence of digital signature providers throughout the United States, the global digital signature market has been US$ 804.8 million in 2017 and is expected to grow at a rate of 27.0% from 2018 to 2026, with the cloud segment is the primary factor in its growth (GlobeNewswire). Digital signatures help speed up the approval process, allowing companies to offer transaction services that enhance the customer experience.

This article will introduce the following elements of Digital Signatures:
Definition of a Digital Signature
How do Digital Signatures Work?
Definitions and Terms associated with Digital Signatures
Laws surrounding Digital Signatures
Benefits of Digital Signatures
Disadvantages of Digital Signatures
How to find Trusted Service Providers and Certificate Authorities

Definition of a Digital Signature

A digital signature is a numerical algorithm used to formalize the legitimacy of a message, transaction, or document. Digital signatures create a virtual identification symbol unique to a person or company and are used to help protect information contained in messages or documents (US-Cert, FDA).

Digital signatures are a separate category from electronic signatures in how much security they offer. Electronic signatures, or e-signatures, refer to an automated process that requires a signature or form of agreement on the record (FDA). Electronic signatures can have a variety of ways to produce signatures, including emails, social IDs, phone pins, and passwords and use either single-factor or multifactor authentication. Digital Signatures use a certificate-based ID and bind each document with encryption through Certificate Authorities and True Service Providers (Adobe).

How do Digital Signatures Work?

Digital signatures work by proving the document or digital message wasn’t modified from the time it was signed. Digital signatures generate a unique hash of the message or document and encrypting it using the sender’s private key. Once completed, the message or digital document is digitally signed and sent to the recipient and then the hash is compared with the recipient to see if the identity is verified and safe.

Definitions and Terms associated with Digital Signatures

To completely understand the ins and outs of digital signatures, here are some terms you would need to know to understand (US-Cert, SOS):

Hash Function – A hash function is a string of numbers that generate from either a mathematical algorithm or small message such as an email. Document, picture, or some other type of data. Hash functions are considered one-way, meaning it cannot be reversed to find other files.

Public Key Cryptography – Public key cryptography is a method that uses a key pair system to encrypt the data or distribute the data to ensure authenticity. Cryptography can also check those keys with a certificate authority to verify identification through an infrastructure.

Public Key Infrastructure – Public key infrastructure (PKI) upholds the policies and standards that support the distribution of public keys and identity validation of individuals or companies with digital certificates from a certificate authority.

Cryptographic Algorithm – A specialized algorithm used to encrypt or decrypt data. This algorithm is the crucial component of how digital signatures make their mark on documents and messages. It processes the signatures through a series of numbers and codes, marking each signature with an identifier for the receiver and recipient.

Trust Service Providers – Trust service providers are companies that offer secure transaction services, which can also include certificate authorities. TSPs issue certificate-based digital IDs and timestamps and follow legal requirements in countries such as the United States, the EU, and Japan.

Certificate Authority – A certificate authority (CA) is a trusted third party that validates a person’s identity. Once a CA confirms someone’s identity, they then issue that person a digital certificate that is digitally signed by a certified authority such as Microsoft or Certisign.

Digital Certificates – Digital certificates help confirm the identity and hold information about signer or company. Their purpose is to identify the holder of a certificate, containing a public key for that individual/organization and can also hold other relevant information about that individual/organization.

Pretty Good Privacy (PGP)/OpenPGP – Instead of going through a public key infrastructure, users “trust” other users by signing certificates of people with valid identities. This system follows a “Web of Trust” which through verification, people can use certificates through interconnected signatures.

In cases of potential forgery, it is nearly impossible due to how the signature process works. Digital software used to sign documents scan and create a calculation based on an algorithm, making that calculation part of the signature. If the calculated signature of both the sender and receiver are the same, then it is valid (SOS). Digital signatures, in this case, offer a wide variety of options regarding service and understanding how digital signatures work in business and legal matters are essential when using digital signatures as an option.

Laws surrounding Digital Signatures

E-signatures are more accessible to implement and offer many of the legal security requirements needed to run a business. Digital signatures require more technical demands but have an advanced form of identification that is more demanding but also more secure. In countries such as the United States, Canada, Australia, and New Zealand, e-signatures with few legal restrictions, giving it the same authority as handwritten signatures. In countries such as those in the European Union, China, Japan, and South Korea, e-signatures are permitted, but digital signatures may be required as qualified providers of authentication (Adobe).

For instance, eIDAs regulation in the European Union cites their definition of a standard electronic signature and takes a stance at being electronically neutral, allowing any legal effects it creates not to be dismissed in court due to its nature. eIDAs states that for electronic signatures to be considered valid, data must be associated with other data in electronic form to be used by the signatory to sign. However, in any conflict with federal courts in the European Union, eIDAs also states that both parties must make mutual consent and that governing laws in certain countries such as Italy or France will preside over whether or not electronic signatures can count as free or restricted evidence in court (Adobe).

Benefits of Digital Signatures

Digital signature certificates are essential security elements of Netscape and Microsoft Internet browsers. These certificates are used to identify the persons who are viewing Internet sites and provide password protection for individuals to use to access restricted information. Digital signatures help save money by using less paper for companies and governments and allow the signature to be recognized in court if there is a breach of an agreement (SOS). Digital signatures can also:

  • Create better time management and work efficiency
  • Increase productivity
  • Instill legal validity
  • Mitigate recruitment fraud
  • Form better document management
  • Authenticate applicants before hiring
  • Increase work mobility

Disadvantages of Digital Signatures

Although digital signatures can be used in court, there may be cases where digital signatures may not be enough. DocuSign, a service provider for digital and e-signatures, was used by a bankruptcy lawyer in a court case in California. While those signatures were used in place of original signatures, the United States Trustee (UST) sanctioned the lawyer, citing local bankruptcy rules which state that an electronically signed document can only be implemented with a copy of the record that also contains an original signature (aka “wet signature”) to be available for that legal court. (Cryptomatic).

In this instance, there were little to no legal systems in place for digital authentication platforms. When the United States adopted the E-Sign Act, which states that documents cannot be rendered invalid due to their electronic nature. However, this leaves loopholes for court cases to find digital signatures invalid if those signatures were used in corrupted and vulnerable situations. Currently, there is no US Act that defines advanced and qualified signatures, even if U.S. court systems usually widely accept those forms of authentication, which can leave many in a gray area of what qualifies as documentation (Cryptomatic).

How to find Trusted Service Providers and Certificate Authorities

While Adobe Sign can be considered to be a favorite source for digital signatures, Adobe does not consider itself to be a certified authority for distributing certificates for digital signatures. Trusted Service Providers such as the European Union Trust List and the Adobe Approved Trust List offer companies such as GlobalSign, OpenTrust, DocuSign, SwissSign, and Secom for digital signature services (Adobe). Certified authorities such as Certisign, Cybertrust, Microsoft Root, and Wells Fargo can help make certificates through those trusted providers to help ease the access for digital signatures, giving companies better opportunities to have digital transactions and help make those documents officially recognized (IBM). In this case, it’s best for individuals or companies that are interested in digital signatures to look for resources such as trust lists to better find access to advanced options for digital signatures and double-checking whether or not those signatures will conflict with any current laws in the area.

Share

Go digital with Countersign Get Started