Casey Crane is a tech lover and cybersecurity journalist for Hashed Out and Infosec Insights.
Although it’s easy to confuse the two, a digital signature isn’t the same thing as an electronic signature. Although both terms include the word “signature,” and they both relate to identity, they’re actually two different processes. A digital signature is a type of electronic signature in the broad sense, but it serves a different function and end goal.
A digital signature is also different than a digital certificate (although the two work in conjunction). Not sure what we mean? You’ll see shortly. In this article, we’ll break down what a digital signature is and how it works. We’ll also dive into the nitty-gritty things to know about the digital signature process as a whole.
In a nutshell, a digital signature (also known as an advanced electronic signature or qualified electronic signature, in some cases) is an integral component of public key infrastructure (PKI) that allows users to look at something (an email, document, software application, etc.) and know who it came from. Basically, it’s a way for you to authenticate yourself to another party and show that your item in question is legitimate and unaltered. For example, here’s how a digital signature looks in a signed email:
Graphic: Examples of how email digital signature information displays in Outlook.
Another example of a digital signature can be found in SSL/TLS certificates in the form of the certification path. For example, the SSL/TLS certificate on SectigoStore.com is signed by the intermediate certificate using a digital signature, which is signed by the root certificate, so you can know for sure that this website was verified by Sectigo:
Graphic: A screenshot of the certification path that displays in an SSL/TLS certificate. It shows the root certificate, intermediate certificate, and server certificate.
Digital signatures work hand-in-hand with hash functions, or what are known more simply as hashes. Ever heard of SHA-2 and SHA-256? Yeah, those are two of the most common examples of hashing algorithms. (Don’t worry, we’ll talk more about hashing a little later to provide additional clarity.)
Digital Signatures Offer Assurance and Authenticity
… Hmm, that didn’t really help much, did it? Okay, let’s try this another way. There are three primary uses for digital signatures:
Okay, it probably sounds like something you’d never end up using in daily activities, right? Wrong — and here’s why.
Wondering what a digital signature is in terms of how your organization can use it in the real world? You may be surprised to know that many companies and organizations are already using digital signatures. In fact, if you’ve ever downloaded an app on your computer that displayed a pop-up with the name of the developer or manufacturer who created it, that means that you’ve seen the results of a digital signature application.
You can use digital signatures in a variety of applications:
Some of the most common types of PKI digital certificates that use digital signatures include:
Now that we have a better understanding of what a digital signature is and what it does from a high-level perspective, it’s time to roll up our sleeves and really dig in to how it works on a more technical level.
The digital signature process is based on asymmetric cryptography because it involves the use of a set of mathematically related public and private keys.
Hashing (and Hash Values)
In a nutshell, hashing is a simple way of generating a code that uniquely identifies a file. If the file changes, the hash value changes, too. This means that a hash, for all intents and purposes, is a one-way function that can be applied to a piece of data of any length to produce a unique string of text (what’s known as a hash value, digest, or fingerprint) of a fixed length.
This hash digest is encrypted using the message creator’s private key (and the creator’s public key decrypts it on the end user’s side). The purpose of a hash is to serve as a checksum that proves that the message, code, or whatever it has that’s been hashed hasn’t been altered. (This differs from encryption because encryption is intended to be a two-way process.)
Basically, it takes your message and applies a hash function (such as SHA-256) to it that converts it into a hash value like this:
HELLO = ch857er1iu23rbhfiu23rhb2c2b4l8m4n
(Okay, technically, it’s theoretically possible for someone to reverse a hash using brute force. But the amount of time and computational resources that would be required really makes trying to do so pretty pointless…)
It’s important to note that every hash value is unique. If there are two different files that somehow manage to product the same hash value, this results in something called collision. Much like a vehicle collision, a hash collision is also bad. Basically, it means that the hash algorithm is useless and won’t protect your file or message.
Anyhow, to help you better understand what a hash is, let’s think of it in terms of digitally signing an email. You can use an email signing certificate to digitally sign your email. This helps you prove to your recipient that it was you who sent the message and that it hasn’t been tampered with since you pushed “send.” (This gives you the authentication and message integrity assurance that we referred to earlier.)
Graphic: Here's a visual breakdown of how the digital signing process works.
Graphic: Here’s an example of the verification process when an item has been digitally signed. When the hash values match, it means that the data is unaltered.
Okay, so let’s take a look at how the digital signature process actually works in terms of sending an email:
As you’ve learned, digital signatures are a great way to assert identity and to authenticate data and the people responsible for creating or sending it. They also work hand-in-hand to validate the integrity of the data in question by indicating whether it’s been tampered with (although it can’t stop the tampering event from happening in the first place).
Digital signatures in cryptography have a lot of different uses — they’re an essential part of information security for websites, documents, emails, and more. Fun fact: You use digital signatures every day, even if you’re not aware of them. Your browser uses multiple digital signatures to verify our website when you clicked to read on this article.
Disclosure: SectigoStore.com is a leading provider of X.509 digital certificates.