What is a digital signature?

A digital signature—a type of electronic signature—is a mathematical algorithm routinely used to

validate the authenticity and integrity of a message (e.g., an email, a credit card transaction, or a digital
document). Digital signatures create a virtual fingerprint that is unique to a person or entity and are used
to identify users and protect information in digital messages or documents. In emails, the email content
itself becomes part of the digital signature. Digital signatures are significantly more secure than other
forms of electronic signatures.

Digital signatures are a cryptographic technique used to verify the authenticity and integrity of digital
data. They provide a way to ensure that a message or document has not been altered since it was signed
and that it originates from the claimed sender.

Why would you use a digital signature?

Digital signatures increase the transparency of online interactions and develop trust between customers,
business partners, and vendors.

How Digital Signatures Work:

1. Key Generation: The sender generates a pair of cryptographic keys: a public key and a private
key.

2. Signing: The sender uses their private key to create a digital signature for the message or
document. This signature is a mathematical transformation of the data that is unique to the
sender's private key.

3. Verification: The recipient uses the sender's public key to verify the signature. If the verification
process is successful, it confirms that the message or document originated from the claimed
sender and has not been modified.

Familiarize yourself with the following terms to better understand how digital signatures work:

 Hash function — A hash function (also called a "hash") is a fixed-length string of numbers and
letters generated from a mathematical algorithm and an arbitrarily sized file such as an email,
document, picture, or other type of data. This generated string is unique to the file being hashed
and is a one-way function— a computed hash cannot be reversed to find other files that may
generate the same hash value. Some of the more popular hashing algorithms in use today are
Secure Hash Algorithm-1 (SHA-1), the Secure Hashing Algorithm-2 family (SHA-2 and SHA-256),
and Message Digest 5 (MD5).

 Public key cryptography — Public key cryptography (also known as asymmetric encryption) is a
cryptographic method that uses a key pair system. One key, called the public key, encrypts the
data. The other key, called the private key, decrypts the data. Public key cryptography can be
used several ways to ensure confidentiality, integrity, and authenticity. Public key cryptography
can

 Ensure integrity by creating a digital signature of the message using the sender's private
key. This is done by hashing the message and encrypting the hash value with their
 private key. By doing this, any changes to the message will result in a different hash
value.

 Ensure confidentiality by encrypting the entire message with the recipient's public key.
This means that only the recipient, who is in possession of the corresponding private
key, can read the message.

 Verify the user's identity using the public key and checking it against a certificate
authority.

 Public key infrastructure (PKI) — PKI consists of the policies, standards, people, and systems
that support the distribution of public keys and the identity validation of individuals or entities
with digital certificates and a certificate authority.

 Certificate authority (CA) — A CA is a trusted third party that validates a person's identity and
either generates a public/private key pair on their behalf or associates an existing public key
provided by the person to that person. Once a CA validates someone's identity, they issue a
digital certificate that is digitally signed by the CA. The digital certificate can then be used to
verify a person associated with a public key when requested.

 Digital certificates — Digital certificates are analogous to driver licenses in that their purpose is
to identify the holder of a certificate. Digital certificates contain the public key of the individual
or organization and are digitally signed by a CA. Other information about the organization,
individual, and CA can be included in the certificate as well.

 Pretty Good Privacy (PGP)/OpenPGP — PGP/OpenPGP is an alternative to PKI. With

PGP/OpenPGP, users "trust" other users by signing certificates of people with verifiable
identities. The more interconnected these signatures are, the higher the likelihood of verifying a
particular user on the internet. This concept is called the "Web of Trust."

Benefits of Digital Signatures:

 Authentication: Verifies the identity of the sender.

 Integrity: Ensures that the message or document has not been altered.
 Non-repudiation: Prevents the sender from denying that they sent the message.
 Confidentiality: In some cases, digital signatures can be used to encrypt data.

Common Use Cases:

 Email: Verifying the authenticity of emails.

 Digital documents: Ensuring the integrity of contracts, legal documents, and other
important files.
 Electronic transactions: Securing online payments and financial transactions.
 Software distribution: Verifying the authenticity and integrity of software downloads.
Digital signatures work by proving that a digital message or document was not modified—intentionally
or unintentionally—from the time it was signed. Digital signatures do this by generating a unique hash of
the message or document and encrypting it using the sender's private key. The hash generated is unique
to the message or document, and changing any part of it will completely change the hash.

Once completed, the message or digital document is digitally signed and sent to the recipient. The
recipient then generates their own hash of the message or digital document and decrypts the sender's
hash (included in the original message) using the sender's public key. The recipient compares the hash
they generate against the sender's decrypted hash; if they match, the message or digital document has
not been modified and the sender is authenticated.

Why should you use PKI or PGP with digital signatures?

Using digital signatures in conjunction with PKI or PGP strengthens them and reduces the possible
security issues connected to transmitting public keys by validating that the key belongs to the sender and
verifying the identity of the sender. The security of a digital signature is almost entirely dependent on
how well the private key is protected. Without PGP or PKI, proving someone's identity or revoking a
compromised key is impossible; this could allow malicious actors to impersonate someone without any
method of confirmation.

Through the use of a trusted third party, digital signatures can be used to identify and verify individuals
and ensure the integrity of the message.

As paperless, online interactions are used more widely, digital signatures can help you secure and
safeguard the integrity of your data. By understanding and using digital signatures, you can better
protect your information, documents, and transactions.