Agreement
We use cookies on our website to provide you with the best possible experience. By clicking "Accept All" you agree to the use of all cookies and to our privacy policy.
The digital signature is the unforgeable equivalent of the handwritten signature. Provided that the digitally generated signatures also comply with the regulations prescribed in the eIDAS Regulation. Then the digital signature is not only forgery-proof, but also 100% legally valid.
For many people, however, the topic still raises questions and uncertainty. Is my signature secure? Can my signature be forged? How can I make sure that the right person has signed it?
In order to be able to answer these and other questions, we will deal in this article with how a document can be validly digitally signed and what is required for this.
Digital signatures are equipped with back-end tools to ensure that only an authorized person can sign a document and to prevent changes after signing.
A digital signature is created using a unique digital identifier called a "digital certificate" or "public key certificate." Digital certificates are issued by accredited certification authorities (CAs) after verifying the identity of the applicant.
A certification authority (CA) is an institution authorized to issue digital certificates. It acts as a trusted third party (TTP) that verifies the identity of the holder of a certificate. A certificate authority also certifies the possession of a public key.
A digital certificate is an electronic passport that identifies the participant in a PKI-secured conversation and allows individuals and institutions to exchange data securely online. Data is encrypted and decrypted using a pair of public and private keys.
A public key is a unique numeric identifier used to encrypt data or verify digital signatures. It is issued by a certificate authority to a person or organization and is publicly available to anyone who needs it.
A private key is known only to its owner. It is used to decrypt data created with the corresponding public key or to create digital signatures.
Digital signatures and digital certificates are closely linked. Their applications and uses depend on how these systems are implemented and how the respective PKI infrastructure works. A digital certificate is sometimes called a digital signature certificate because it confirms the public key (authenticity) of the signing entity.
Let's start with a simple example. Alice and Bob want to communicate together or sign a document.
Alice has two digital cryptographic keys - a Public (PA) and a Private/Secret (SA) key. The public key may be passed on. The private key, however, must be kept secret and secure by Alice.
Alice creates a digital certificate that contains her public key and email address. She sends this certificate to Bob to share her public key with Bob.
Alice can now sign a document with her private key and send it to Bob. Bob can then verify that Alice's Public Key matches the signature made with Alice's Private Key.
So private and public keys are two sides of the same coin. Anything signed with a Private Key can be verified with the matching Public Key.
This now ensures that only Alice can make a signature with her Private Key.
However, another security measure needs to be introduced. It must be ensured that the link between Alice's public key and her user ID (e.g. e-mail address) is actually checked.
This time Mallory wants to pretend to be Alice and communicate with Bob. Mallory has neither Alice's nor Bob's private key. However, he has his own private-public key pair.
Mallory wants to convince Bob that his private key belongs to Alice. To do this, he builds himself a certificate from his public key and Alice's e-mail and sends it to Bob. Bob thinks he has received the public key from Alice.
Now Mallory can sign documents with his private key and send them to Bob. Bob can check the signature again with the public key and which ones match again. So Bob is now convinced that Alice signed this message. In reality, however, it was Mallory.
The problem here is that Mallory has a chance to create a link between his public key and Alice's user ID.
However, we want to prevent that and for that we need a third party.
Trent is a trusted third party that ensures that the link between Alice's public key and her user ID is verified. Trent verifies Alice's identity, e.g. using ID verification with Video Ident, and authenticates the digital certificate.
Alice can now sign messages and Bob can be sure that the message is really from Alice. With this, we manage to create tamper-proof digital signatures!
So two things are important in this:
With this, we manage to produce digital, qualified signatures that are at least as secure as analog signatures.
Technically, each digital signature created for a particular document is unique and therefore extremely difficult to forge. The ability of digital signatures to ensure the integrity and authenticity of electronic documents while indicating the signer's consent enables businesses, contractors and customers to interact online and share information securely.
Excursus
Alice, Bob, and Mallory are fictional characters that serve as synonyms for the main actors in communication and data sharing. Instead of speaking of anonymous individuals, these individuals are personified through the use of Alice, Bob, and Mallory. This method facilitates the representation of complex relationships and processes and makes them easier for the reader to understand.
Who are Alice and Bob? Alice and Bob are representative characters for those involved in a communication between two parties. Alice acts as the initiator who sets up the communication. Bob takes the role of the person who receives the message. Most of the time, Alice strives to deliver a message to Bob, while Bob waits for the message from Alice.
Who is Mallory? Mallory is an active attacker of a communication who is not afraid to interfere with the communication to manipulate messages or alter data. As a man-in-the-middle (MITM), Mallory is especially dangerous to Alice and Bob, but they can use cryptography to protect themselves from him. Without the use of cryptography ...
However, it is important to emphasize that
. - ... cryptography is NOT capable of preventing Mallory from altering or intercepting data undetected.
Who is Trent? Trent derived from the English "trusted entity", is a trusted third party. For example, as a Certificate Authority, or CA.
Do you have a great idea for our blog?
A community benefits from people who are interested in a topic - who are committed to it. If you yourself have a "soft spot" for sensible digitisation processes and would like to contribute something to this blog, or if you just want to give us a hint on an exciting topic... We would be very happy to hear from you: We definitely take our time 😊Pages
Resources
sproof sign as an alternative