digital signature

Contributor(s): Vicki-lynn Brunskill, Peter Loshin and Michael Cobb

A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document. As the digital equivalent of a handwritten signature or stamped seal, a digital signature offers far more inherent security, and it is intended to solve the problem of tampering and impersonation in digital communications.

Digital signatures can provide the added assurances of evidence of origin, identity and status of an electronic document, transaction or message and can acknowledge informed consent by the signer.

In many countries, including the United States, digital signatures are considered legally binding in the same way as traditional document signatures.

How digital signatures work

Digital signatures are based on public key cryptography, also known as asymmetric cryptography. Using a public key algorithm, such as RSA, one can generate two keys that are mathematically linked: one private and one public. 

Digital signatures work through public key cryptography's two mutually-authenticating cryptographic keys. The individual who is creating the digital signature uses their own private key to encrypt signature-related data; the only way to decrypt that data is with the signer's public key. This is how digital signatures are authenticated.

Digital signature technology requires all the parties to trust that the individual creating the signature has been able to keep their own private key secret. If someone else has access to the signer's private key, that party could create fraudulent digital signatures in the name of the private key holder.

How to create a digital signature

To create a digital signature, signing software -- such as an email program -- creates a one-way hash of the electronic data to be signed. The private key is then used to encrypt the hash. The encrypted hash -- along with other information, such as the hashing algorithm -- is the digital signature.

The reason for encrypting the hash instead of the entire message or document is that a hash function can convert an arbitrary input into a fixed length value, which is usually much shorter. This saves time as hashing is much faster than signing.

The value of a hash is unique to the hashed data. Any change in the data, even a change in a single character, will result in a different value. This attribute enables others to validate the integrity of the data by using the signer's public key to decrypt the hash.

If the decrypted hash matches a second computed hash of the same data, it proves that the data hasn't changed since it was signed. If the two hashes don't match, the data has either been tampered with in some way -- a compromise to its integrity -- or the signature was created with a private key that doesn't correspond to the public key presented by the signer --an issue with authentication.

A digital signature can be used with any kind of message -- whether it is encrypted or not -- simply so the receiver can be sure of the sender's identity and that the message arrived intact. Digital signatures make it difficult for the signer to deny having signed something -- assuming their private key has not been compromised -- as the digital signature is unique to both the document and the signer and it binds them together. This property is called nonrepudiation.

Digital signatures are not to be confused with digital certificates. A digital certificate, an electronic document that contains the digital signature of the issuing certificate authority, binds together a public key with an identity and can be used to verify that a public key belongs to a particular person or entity.

Most modern email programs support the use of digital signatures and digital certificates, making it easy to sign any outgoing emails and validate digitally signed incoming messages. Digital signatures are also used extensively to provide proof of authenticity, data integrity and nonrepudiation of communications and transactions conducted over the internet.

Classes of digital signatures

There are three different classes of Digital Signature Certificates:

  • Class 1: Cannot be used for legal business documents as they are validated based only on an email ID and username. Class 1 signatures provide a basic level of security and are used in environments with a low risk of data compromise.
  • Class 2: Often used for e-filing of tax documents, including income tax returns and Goods and Services Tax (GST) returns. Class 2 digital signatures authenticate a signee’s identity against a pre-verified database. Class 2 digital signatures are used in environments where the risks and consequences of data compromise are moderate.
  • Class 3: The highest level of digital signatures. Class 3 signatures require a person or organization to present in front of a certifying authority to prove their identity before signing. Class 3 digital signatures are used for e-auctions, e-tendering, e-ticketing, court filings and in other environments where threats to data or the consequences of a security failure are high.

Uses of digital signatures

Industries use digital signature technology to streamline processes and improve document integrity. Industries that use digital signatures include:

Government - The U.S. Government Publishing Office publishes electronic versions of budgets, public and private laws and congressional bills with digital signatures. Digital signatures are used by governments worldwide for a variety of uses, including processing tax returns, verifying business-to-government (B2G) transactions, ratifying laws and managing contracts. Most government entities must adhere to strict laws, regulations and standards when using digital signatures.

Healthcare - Digital signatures are used in the healthcare industry to improve the efficiency of treatment and administrative processes, to strengthen data security, for e-prescribing and hospital admissions. The use of digital signatures in healthcare must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Manufacturing - Manufacturing companies use digital signatures to speed up processes, including product design, quality assurance (QA), manufacturing enhancements, marketing and sales. The use of digital signatures in manufacturing is governed by the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST) Digital Manufacturing Certificate (DMC).

Financial services - The U.S. financial sector uses digital signatures for contracts, paperless banking, loan processing, insurance documentation, mortgages, and more. This heavily regulated sector uses digital signatures with careful attention to the regulations and guidance put forth by the Electronic Signatures in Global and National Commerce Act (E-Sign Act), state UETA regulations, the Consumer Financial Protection Bureau (CFPB) and the Federal Financial Institutions Examination Council (FFIEC).

Digital signature vs. electronic signature

Though the two terms sound similar, digital signatures are different from electronic signatures.  While digital signature is a technical term, defining the result of a cryptographic process that can be used to authenticate a sequence of data, the term electronic signature -- or e-signature -- is a legal term that is defined legislatively.

For example, in the United States, the term was defined in the Electronic Signatures in Global and National Commerce Act, passed in 2000, as meaning "an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record."

This means that a digital signature -- which can be expressed digitally in electronic form and associated with the representation of a record -- can be a type of electronic signature. More generally though, an electronic signature can be as simple as the signer's name being entered on a form on a webpage.

To be considered valid, electronic signature schemes must include three things:

  • a way to verify the identity of the entity signing it;
  • a way to verify that the signing entity intended to affirm the document being signed; and
  • a way to verify that the electronic signature is indeed associated with the signed document.

A digital signature can, on its own, fulfill these requirements to serve as an electronic signature:

  • the public key of the digital signature is linked to the signing entity's identification;
  • the digital signature can only be affixed by the holder of the public key's associated private key, which implies the entity intends to use it for the signature; and
  • the digital signature will only authenticate if the signed data -- document or representation of a document -- is unchanged. If a document is altered after being signed, the digital signature will fail to authenticate.

While authenticated digital signatures provide cryptographic proof that a document was signed by the stated entity and that the document has not been altered, not all electronic signatures can provide the same guarantees.

Digital signature security features and benefits

Security features embedded in digital signatures ensure that a document is not altered and that signatures are legitimate. Security features and methods used in digital signatures include:

  • PINs, passwords and codes: Used to authenticate and verify a signee’s identity and approve their signature. Email, username and password are most common.
  • Time stamping: Provides the date and time of a signature. Time stamping is useful when the timing of a digital signature is critical, such as stock trades, lottery ticket issuance and legal proceedings.
  • Asymmetric cryptography: Employs a public key algorithm that includes private and public key encryption/authentication.
  • Checksum: A long string of letters and numbers that represent the sum of the correct digits in a piece of digital data, against which comparisons can be made to detect errors or changes. Checksum acts as a data fingerprint.
  • Cyclic Redundancy Checking (CRC): An error-detecting code and verification feature used in digital networks and storage devices to detect changes to raw data.
  • Certificate authority (CA) validation: CAs issue digital signatures and act as a trusted third party by accepting, authenticating, issuing and maintaining digital certificates. The use of CAs helps avoid the creation of fake digital certificates.
  • Trust Service Provider (TSP) validation: A TSP is a person or legal entity that performs validation of a digital signature on a company’s behalf and offers signature validation reports.
This was last updated in April 2020

Continue Reading About digital signature

Dig Deeper on PKI and digital certificates

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What about  cybercriminals develop B mining malware
authentication code used especially in email which can be used as a traditional written signature cannot be forged because the signature is created with a sender's secret key verified afterward too
People normally use electronic signature and digital signature interchangeably. However, they are quite different. Electronic signatures, which are provided by lots of vendors these days, cannot ensure document integrity and non-repudiation. Signority has a patent-pending SaaS PKI technology that ensures the highest level of security but eliminates the complexity of traditional PKI technology. Several law firms use their solution to deal with highly sensitive contracts.
How can digital signatures be more widely used to improve the security of email, which is still one of the dominant forms of communication in the world today?
In my mind, the question isn't so much "how can they be used to protect email communications". The bigger question is "how can we streamline the process of creating them and encouraging they be used in a way that will signal wide adoption". For people who program or who set up environments to share keys on a regular basis, this is not a big deal, but for the average computer user, setting up keys is seen as a monumental pain, and then having tools that readily recognize them and use them without a lot of hand holding are essential. In short, we need to make it easy to implement and then easy to use, with as little monitoring as possible. Perhaps a model like LastPass but for cryptography?
As Michael says - and I agree - the process of getting people to understand and use signature security is the real issue. We're still living in a business environment that leverages at least three major email services. And these don't really play nice together. So until we get Gmail and Exchange and Apple Mail to coordinate some of their code, will we really have the groundwork in place to start using digital signatures that are platform agnostic? Until that happens, we'll be like the spy groups in time of war. The guys we're sending code to will have to have the unlock code right in front of them...and all that does is makes things more convoluted and difficult.
I think the question should be more along the lines of "What types of email communications require the security of digital signatures?" I don't see any use whatsoever in using digital signatures in my personal email correspondence unless I am discussing legal matters with my lawyer or financial matters with my accountant. Most of my day-to-day business emails do not contain anything that requires digital signatures.

Michael and Jeff also raise good points: Digital signatures must be easy to use and they must work seamlessly on all platforms. It's the same issue I see every day trying to convince people of ways to come up with good passwords: "Too much work." And I think that is the fundamental difficulty in getting people to adopt good security measures.
I find myself asking the question.  Why.   Too many already use email without digital signatures.  Only in very strict settings are they utilized at all.  Michael is right, could they help?  Maybe, but I'm worried about spoofing and I'm worried about them getting stolen and what that could imply.
What is the most unusual application in which you've used digital signatures?
This is an inaccurate description of a cryptographic digital signature. Digital signatures are not an encryption of the hash. It is a mathematical function which takes the private key, the hash, and a unique random number to create a result which can be verified by using the signer's public key. The result of the verify is essentially a Yes/No result. There is no way to recover the hash and match it as described above.
Also, no other information typically accompanies the digital signature.. The author says the kind of hash algorithm used is also sent with the signature. If the receiver doesn't already know, then a certificate is more appropriate, which contains the signature, the algorithm(s) used and more (Google X.509 certificate).
Thank you.
Decryption is only possible with the private keys. I was confused how the digital signature works by using a public key to decrypt the message.

@Maikai - The article is simplifying things but that doesn't make it incorrect. For instance, you are right that an IV is often used in generating a signature. However, that is a detail that increases security but does not invalidate the basic method of generating a signature from a hashed digest.
Good basic explaination but I got some more questions. What property of a hash function is needed for the digital signature scheme to work correctly; what could go wrong if this property does not hold? According to the above text I think the property is that the encrypted and decrypted hash have to be the same. Is this right?
And also; do you need to use block modes for signing larger messages? 
Lot of information here, I'm curious as to what methods are being used when you sign for a UPS/FedEx package or to pick up some Rx at the pharmacy. The thing they have you sign with your finger never looks like your written signature. You have no idea if it was me or someone else.
I've never heard that private key can be used to encrypt and public key can be used to decrypt. I think there are something wrong in this article.
That is how public private encryption works. If you trust the public key from the sender (i.e. a certificate authority) then you can authenticate the sender. What you may be misunderstanding is that inside that message is a message with the keys the other way around. That is, a message signed with your published key, that only you can decrypt with your secret private key. Generally this is only done once and the message itself is some secret cipher (i.e. AES) to encrypt messages faster going forward. Hope that helps. 
what are the documents will be required for making a digital signature?

hi dears. could you help me in my research about quantum digital signature..... i.e software for test algorithms, the most common algorithms, the advantages and disadvantages of each one......etc 
Hey, Can you help me to how to verify my digital signature and how to sure that someone not misuse my class 3 digital signature
how will the receiver get the sender's or signer's public key thus enabling decryption at the receiver's end 
Hi Its Awesome post so I have share link of this article on my sites.

I am also write a blog related to networking in my clevernetsol site. so It would be also good for me If you allow
wesignature is best <a href=""> free electronic signature</a> service that provides legally binding signatures and that can be used to sign multiple documents at once. It utilizes secure channels to ensure the safety of your documents. Wesignature is one of the most secure e signature in word platforms for signing, storing, sending, and tracking documents.
If you are in a need of digital signature signature certificate. Visit here: Online digital signature. They helped me to get the digital signature certificate
Great Content on Digital Signature Online 
Thank you for sharing.
That was an awesome content. You can apply for digital signature certificate 
Interesting post discussing about digital signature 
Great Content, Very detailed article, clear, very professional author on Chữ ký số
Thank you for sharing.