On this page:
- What is a digital signature?
- How is a digital signature used for authentication?
- How long do digital signatures remain valid?
- What is the legal status of documents signed with digital signatures?
- Can using Digital ID Certificates help detect altered documents and transmission errors?
What is a digital signature?
A digital signature functions for electronic documents like a handwritten signature does for printed documents. The signature is a non-forgeable piece of data that asserts that a named person wrote or otherwise agreed to the document to which the signature is attached.
A digital signature actually provides a greater degree of security than a handwritten signature. The recipient of a digitally signed message can verify both that the message originated from the person whose signature is attached and that the message has not been altered either intentionally or accidentally since it was signed. Furthermore, secure digital signatures cannot be repudiated; the signer of a document cannot later disown it by claiming the signature was forged.
In other words, digital signatures enable "authentication" of digital messages, assuring the recipient of a digital message of both the identity of the sender and the integrity of the message.
How is a digital signature used for authentication?
Suppose Alice wants to send a signed message to Bob. She creates a message digest by using a hash function on the message. The message digest serves as a "digital fingerprint" of the message; if any part of the message is modified, the hash function returns a different result. Alice then encrypts the message digest with her private key. This encrypted message digest is the digital signature for the message.
Alice sends both the message and the digital signature to Bob. When Bob receives them, he decrypts the signature using Alice's public key, thus revealing the message digest. To verify the message, he then hashes the message with the same hash function Alice used and compares the result to the message digest he received from Alice. If they are an exact match, Bob can be confident that the message did indeed come from Alice and has not changed since she signed it. If the message digests are not equal, the message either originated elsewhere or was altered after it was signed.
Note that using a digital signature does not encrypt the message itself. If Alice wants to ensure the privacy of the message, she must also encrypt it using Bob's public key. Then only Bob can read the message by decrypting it with his private key.
It is not feasible for anyone to either find a message that hashes to a given value or to find two messages that hash to the same value. If either were feasible, an intruder could attach a false message onto Alice's signature. Specific hash functions have been designed to have the property that finding a match is not feasible, and are therefore considered suitable for use in cryptography.
One or more digital ID certificates can accompany a digital signature. If a digital ID certificate is present, the recipient (or a third party) can check the authenticity of the public key.
How long do digital signatures remain valid?
Normally, a key expires after some period of time, such as one year, and a document signed with an expired key should not be accepted. However, there are many cases where it is necessary for signed documents to be regarded as legally valid for much longer than one or two years; long-term leases and contracts are examples. By registering the contract with a digital time-stamping service at the time it is signed, the signature can be validated even after the key expires.
If all parties to the contract keep a copy of the time-stamp, each can prove that the contract was signed with valid keys. In fact, the time-stamp can prove the validity of a contract even if one signer's key gets compromised at some point after the contract was signed. Any digitally signed document can be time-stamped, assuring that the validity of the signature can be verified after the key expires.
What is the legal status of documents signed with digital signatures?
If digital signatures are to replace handwritten signatures they must have the same legal status as handwritten signatures (i.e., documents signed with digital signatures must be legally binding). NIST (National Institute of Standards and Technology) has stated that its proposed Digital Signature Standard should be capable of "proving to a third party that data was actually signed by the generator of the signature." Furthermore, U.S. federal government purchase orders will be signed by any such standard; this implies that the government will support the legal authority of digital signatures in the courts. Some preliminary legal research has also resulted in the opinion that digital signatures would meet the requirements of legally binding signatures for most purposes, including commercial use as defined in the Uniform Commercial Code (UCC). A GAO (Government Accounting Office) decision requested by NIST also opines that digital signatures will meet the legal standards of handwritten signatures.
However, since the validity of documents with digital signatures has never been challenged in court, their legal status is not yet well-defined. Through such challenges, the courts will issue rulings that collectively define which digital signature methods, key sizes, and security precautions are acceptable for a digital signature to be legally binding.
Digital signatures have the potential to possess greater legal authority than handwritten signatures. If a ten page contract is signed by hand on the tenth page, one cannot be sure that the first nine pages have not been altered. However, if the contract was signed with digital signatures, a third party can verify that not one byte of the contract has been altered.
Currently, if two people want to digitally sign a series of contracts, they might first sign a paper contract in which they agree to be bound in the future by any contracts digitally signed by them with a given signature method and minimum key size.
Several efforts are underway to legislate the legality and use of digital signatures. Utah has implemented laws qualifying digital signatures. Similar legislation is under way in California and New York, with other states following.
Can using Digital ID Certificates help detect altered documents and transmission errors?
A digital signature is superior to a handwritten signature in that it attests to the contents of a message as well as to the identity of the signer. As long as a secure hash function is used, there is no way to take someone's signature from one document and attach it to another, or to alter the signed message in any way. The slightest change in a signed document will cause the digital signature verification process to fail. Thus, authentication allows people to check the integrity of signed documents. Of course, if a signature verification fails, it may be unclear if there was an attempted forgery or simply a transmission error.
Copyright © 2000, VeriSign, Inc. All Rights Reserved