The digital signature is the unforgeable equivalent of the handwritten signature. Provided that the digitally generated signatures also comply with the regulations prescribed in the eIDAS Regulation. Then the digital signature is not only forgery-proof, but also 100% legally valid.
For many people, however, the topic still raises questions and uncertainty. Is my signature secure? Can my signature be forged? How can I make sure that the right person has signed?
In order to be able to answer these and other questions, we will deal in this article with how a document can be validly digitally signed and what is necessary for this.
Digital signatures are equipped with back-end tools to ensure that only an authorized person can sign a document and to prevent changes after signing.
A digital signature is created with a unique digital identifier called a "digital certificate" or "public key certificate." Digital certificates are issued by accredited certification authorities (CA) after verifying the identity of the applicant.
A certification authority (CA) is an institution that is authorized to issue digital certificates. It acts as a trusted third party (TTP) that verifies the identity of the holder of a certificate. A certification authority also certifies the possession of a public key.
A digital certificate is an electronic passport that identifies the participant in a PKI-secured conversation and enables individuals and institutions to exchange data securely online. Data is encrypted and decrypted using a pair of public and private keys.
A public key is a unique numeric identifier used to encrypt data or verify digital signatures. It is issued by a certification authority to a person or organization and is publicly available to anyone who needs it.
A private key is known only to its owner. It is used to decrypt data created with the corresponding public key or to generate digital signatures.
Digital signatures and digital certificates are closely linked. Their applications and uses depend on how these systems are implemented and how the respective PKI infrastructure works. A digital certificate is sometimes called a digital signature certificate because it confirms the public key (authenticity) of the signing entity.
Let's start with a simple example. Alice and Bob want to communicate together or sign a document.
Alice has two digital cryptographic keys - a public key (PA) and a private/secret key (SA). The public key may be passed on. The private key, however, must be kept secret and secure by Alice.
Alice creates a digital certificate that contains her public key and her e-mail address. She sends this certificate to Bob to share her public key with Bob.
Alice can now sign a document with her Private Key and send it to Bob. Bob can then verify that Alice's Public Key matches the signature made with Alice's Private Key.
Private and Public Key are therefore two sides of the same coin. Anything signed with a private key can be verified with the matching public key.
This now ensures that only Alice can make a signature with her Private Key.
However, another security measure has to be introduced to ensure that the link between Alice's public key and her user ID (e.g. e-mail address) is actually checked.
This time Mallory wants to pretend to be Alice and communicate with Bob. Mallory has neither Alice's nor Bob's private key. However, he has his own private-public key pair.
Mallory wants to convince Bob that his private key belongs to Alice. To do this, he builds himself a certificate from his public key and Alice's e-mail and sends it to Bob. Bob thinks he has received the public key from Alice.
Now Mallory can sign documents with his private key and send them to Bob. Bob can check the signature again with the public key and which ones match again. Bob is now convinced that Alice signed the message. But in reality it was Mallory.
The problem here is that Mallory has the chance to create a link between his public key and Alice's user ID.
However, we want to prevent that and for that we need a third party.
Trent is a trusted third party that ensures that the link between Alice's public key and her user ID is verified. Trent verifies Alice's identity, e.g., using ID verification with Video Ident, and authenticates the digital certificate.
Alice can now sign messages and Bob can be sure that the message is really from Alice. In this way, we manage to produce forgery-proof digital signatures!
So two things are important here:
In this way, we manage to produce digital, qualified signatures that are at least as secure as analog signatures.
Technically, each digital signature created for a specific document is unique and therefore extremely difficult to forge. The ability of digital signatures to ensure the integrity and authenticity of electronic documents while indicating the signer's approval enables businesses, contractors and customers to interact online and share information securely.
Alice, Bob, and Mallory are fictional characters that serve as synonyms for the main actors in the communication and exchange of data. Instead of speaking of anonymous individuals, these people are personified through the use of Alice, Bob, and Mallory. This method facilitates the presentation of complex relationships and processes and makes them easier for the reader to understand.
Who are Alice and BobAlice and Bob are representative figures for those involved in a communication between two parties. Alice acts as the initiator who sets up the communication. Bob takes on the role of the person who receives the message. Most of the time, Alice strives to convey a message to Bob, while Bob waits for the message from Alice.
Who is Mallory: Mallory is an active attacker of a communication who is not afraid to interfere with the communication to manipulate messages or alter data. As a man-in-the-middle (MITM), Mallory is especially dangerous to Alice and Bob, but they can use cryptography to protect themselves from him. Without the use of cryptography ...
However, it is important to emphasize that
**Who is Trent?**Trent, derived from the English "trusted entity", is a trustworthy third party. For example, as a Certificate Authority, or CA for short.
More blog entriesWhat is the qualified electronic signature in Europe (Update 2023)Constantin Graf from Vienna compares software tools "Made in Europe". Request electronic signatures - obtain multiple digital signatures via email (internal & external)Signing contracts legally online (and having them signed) - what you need to knowHow to sign your contracts digitally & guaranteed legally valid
sproof sign as an alternative