Vertrieb kontaktieren:+43 50 423


We use cookies on our website to provide you with the best possible experience. By clicking "Accept All" you agree to the use of all cookies and to our privacy policy.

Necessary cookies
Performance cookies (incl. US-provider)

How does the qualified digital signature work?

Gloria Dzida
Updated on 02.05.2023

The digital signature is the unforgeable equivalent of the handwritten signature. Provided that the digitally generated signatures also comply with the regulations prescribed in the eIDAS Regulation. Then the digital signature is not only forgery-proof, but also 100% legally valid.

For many people, however, the topic still raises questions and uncertainty. Is my signature secure? Can my signature be forged? How can I make sure that the right person has signed?

In order to be able to answer these and other questions, we will deal in this article with how a document can be validly digitally signed and what is necessary for this.

How to digitally sign an electronic document securely

Clarification of terms:

  • Digital signatures are used to approve and validate documents in electronic form. They use complex cryptographic mechanisms to authenticate digital documents and messages, confirm the identity of signers, and protect data from tampering and corruption during transmission.

Digital signatures are equipped with back-end tools to ensure that only an authorized person can sign a document and to prevent changes after signing.

A digital signature is created with a unique digital identifier called a "digital certificate" or "public key certificate." Digital certificates are issued by accredited certification authorities (CA) after verifying the identity of the applicant.

  • A certification authority (CA) is an institution that is authorized to issue digital certificates. It acts as a trusted third party (TTP) that verifies the identity of the holder of a certificate. A certification authority also certifies the possession of a public key.

  • A digital certificate is an electronic passport that identifies the participant in a PKI-secured conversation and enables individuals and institutions to exchange data securely online. Data is encrypted and decrypted using a pair of public and private keys.

  • A public key is a unique numeric identifier used to encrypt data or verify digital signatures. It is issued by a certification authority to a person or organization and is publicly available to anyone who needs it.

  • A private key is known only to its owner. It is used to decrypt data created with the corresponding public key or to generate digital signatures.

Digital signatures and digital certificates are closely linked. Their applications and uses depend on how these systems are implemented and how the respective PKI infrastructure works. A digital certificate is sometimes called a digital signature certificate because it confirms the public key (authenticity) of the signing entity.

Why do I need a digital signature and certificate?

Let's start with a simple example. Alice and Bob want to communicate together or sign a document.

Scenario 1: Initial example

Alice has two digital cryptographic keys - a public key (PA) and a private/secret key (SA). The public key may be passed on. The private key, however, must be kept secret and secure by Alice.

Alice creates a digital certificate that contains her public key and her e-mail address. She sends this certificate to Bob to share her public key with Bob.

Alice can now sign a document with her Private Key and send it to Bob. Bob can then verify that Alice's Public Key matches the signature made with Alice's Private Key.

Private and Public Key are therefore two sides of the same coin. Anything signed with a private key can be verified with the matching public key.

This now ensures that only Alice can make a signature with her Private Key.

However, another security measure has to be introduced to ensure that the link between Alice's public key and her user ID (e.g. e-mail address) is actually checked.

Scenario 2: What can happen if the certificate is not checked?

This time Mallory wants to pretend to be Alice and communicate with Bob. Mallory has neither Alice's nor Bob's private key. However, he has his own private-public key pair.

Mallory wants to convince Bob that his private key belongs to Alice. To do this, he builds himself a certificate from his public key and Alice's e-mail and sends it to Bob. Bob thinks he has received the public key from Alice.

Now Mallory can sign documents with his private key and send them to Bob. Bob can check the signature again with the public key and which ones match again. Bob is now convinced that Alice signed the message. But in reality it was Mallory.

The problem here is that Mallory has the chance to create a link between his public key and Alice's user ID.

However, we want to prevent that and for that we need a third party.

Scenario 3: How to do it right?

Trent is a trusted third party that ensures that the link between Alice's public key and her user ID is verified. Trent verifies Alice's identity, e.g., using ID verification with Video Ident, and authenticates the digital certificate.

Alice can now sign messages and Bob can be sure that the message is really from Alice. In this way, we manage to produce forgery-proof digital signatures!

So two things are important here:

  1. First, Alice's identity must be established and her UserID must be associated with a public key. Alice always keeps the private key in safe custody. Either herself or through a secure third-party provider like sproof.
  2. Second, when a signature is made, the identity of the signer must be verified, for example by a push message on your cell phone.

In this way, we manage to produce digital, qualified signatures that are at least as secure as analog signatures.

Technically, each digital signature created for a specific document is unique and therefore extremely difficult to forge. The ability of digital signatures to ensure the integrity and authenticity of electronic documents while indicating the signer's approval enables businesses, contractors and customers to interact online and share information securely.


Digression: Who are Alice, Bob and Mallory?

Alice, Bob, and Mallory are fictional characters that serve as synonyms for the main actors in the communication and exchange of data. Instead of speaking of anonymous individuals, these people are personified through the use of Alice, Bob, and Mallory. This method facilitates the presentation of complex relationships and processes and makes them easier for the reader to understand.

Who are Alice and BobAlice and Bob are representative figures for those involved in a communication between two parties. Alice acts as the initiator who sets up the communication. Bob takes on the role of the person who receives the message. Most of the time, Alice strives to convey a message to Bob, while Bob waits for the message from Alice.

Who is Mallory: Mallory is an active attacker of a communication who is not afraid to interfere with the communication to manipulate messages or alter data. As a man-in-the-middle (MITM), Mallory is especially dangerous to Alice and Bob, but they can use cryptography to protect themselves from him. Without the use of cryptography ...

  • ... data transmissions are vulnerable to manipulation by third parties. Mallory could, for example, use intercepted data for his own purposes or change it without being noticed.
  • ... Mallory could impersonate another person and thus gain access to confidential information.
  • ... Alice could claim undetected that certain data has been falsified by Mallory.

However, it is important to emphasize that

  • ... cryptography is NOT capable of preventing Mallory from altering or intercepting data undetected.
  • ... that interrupting or preventing connections is not impossible.
  • ... the use of cryptography is nevertheless an important protection mechanism to minimize the risk of data manipulation.

**Who is Trent?**Trent, derived from the English "trusted entity", is a trustworthy third party. For example, as a Certificate Authority, or CA for short.

Why sproof sign?Highest security and compliance paired with an "all-in-one" functionality make sproof sign the top European alternative on the e-signature platform market. 100% developed and hosted in Europe.
sproof sign is the highest-rated provider in the e-signature category on the independent evaluation platform OMR Reviews for Q3 and Q4 2023, as well as Q1 2024.