Before the world started digitizing, it relied heavily on signed papers to approve, authenticate, and hold liable different parties in transactions and different types of agreements. The digital signature and the digital certificate come as a modern replacement of standard signatures.
Significantly faster than sending papers through the post and sending documents through fax, the digital signature came into the aid of various businesses.
What is a Digital Signature?
A Digital Signature is an electronic verification of a document’s sender, which allows the receiver to determine if the original content has been altered by an intermediary.
The private key and the public key are the two essential elements of a digital signature, created by a dedicated algorithm at the same time. Even though they are created to be mathematically related, in appearance, they will be different.
A digital signature serves three purposes:
- Authentication – the receiver can establish the authorship of a message and determine if the sender is who he claims he is.
- Non-repudiation – the sender cannot deny having sent the message later on and can be held accountable for the non-altered message.
- Integrity – the message was not altered.
And as a matter of fact, the digital signature holds legal value in the United States, European Union, Switzerland, South Africa, Algeria, Turkey, India, Brazil, Indonesia, Mexico, Saudi Arabia, Uruguay, and Chile.
How to Create a Digital Signature?
To create a digital signature, you need to sign the message with your private key.
The private key is the element of this equation that only you hold, and by providing it, you show proof that you are the one that signed a document.
First, you hash the plain text to keep a record of the unaltered version of the message you’re about to send.
SIDENOTE. Hashing is the transformation of a specific content of any length into a shorter fixed-length value.
The most preferred hashing algorithm these days is SHA256 (Secure Hashing Algorithm). Keep in mind that hashing is a one-way process, and a small change in the input changes the whole output.
Next, you encrypt the hash of the plain text with your private key, which will result in the digital signature.
You attach the digital signature to the plain text document and send it.
Through asymmetric encryption, the receiver will be able to decrypt your digital signature and compare the hash of the plain text with the hash you provide.
So, you might wonder how you hash a document. Fortunately, a program on your computer will do it automatically for you.
This is how you can generate the hash of a document on Windows 7/8/10:
- Access the “Command Prompt”;
- Type in “certutil – hashfile”
- Drop the document in the “Command Prompt.”
- Add “SHA256” at the end of the row.
Your final line should look something like this:
certutil -hashfile “C:\User\Computer\Desktop\File.docx” SHA256
By doing that, the console will display 256 bits / 64 hexadecimal characters code that represents the content of your file.
But where do you get a private key and a public key?
That’s quite simple as well.
You can generate them through software, an online platform, or through a Public Key Infrastructure (PKI) registered with a Certificate Authority.
SIDENOTE. The PKI is an accepted format to manage public-key encryption that provides the highest levels of security and universal acceptance.
Then, how do you add a digital signature with a private key to a document?
For that, you once again have to use dedicated software such as Sign Server, Safe pdf, or DocuSign.
How does it help?
Let’s take a fictional scenario of how a digital signature can protect you.
You digitally sign a contract with a provider abroad for outsourcing services.
After agreeing on terms and conditions and a $20/hour rate, you hashed the document and signed it, then sent it back to the provider.
And here comes the problem.
The signed contract needs to get to the manager of the outsourcing company, but a greedy salesman changes the rate to $30/hour so he can earn a bigger commission. When it’s time to pay, you suddenly discover that the rate is bigger than what you agreed on.
How do you prove that the document was tampered with?
The manager was unaware but was willing to clarify the situation. So, you ask him to use the public key to decrypt your signature and check the hash. By doing so, he will be able to spot the difference in the hash output and determine that the contract was altered.
And even if the manager isn’t willing to cooperate, you can take them to court, prove you’re in the right, and hold them accountable.
Digital Signature in Blockchain
Bitcoin’s blockchain makes use of the SHA256 algorithm and digital signature to assure the immutability of the information stored on the blockchain. The digital signature helps to keep track of transactions and prevent double spending.
The transactions are taken as an input and are run through a hashing algorithm, then returned as an output with a fixed length. The data is then added inside a block. The block also contains a hash pointer that points to the previous block.
The hash pointer contains the hash of all the data inside the previous block. Any slight modification of the data contained in a block will bring with itself a drastic modification in the hash. The modification doesn’t fall only on the current but on all previous blocks as well, hence nullifying them.
What is a Digital Certificate?
As you may already have guessed, it’s not that complicated to make a digital signature and use it. This is exactly where its weakness stands.
A malicious party may try to create a digital signature and a public key to pretend to be someone else. If a person receives such a digitally signed message and concludes the document is legit, that person will be exposed to an informational attack from the malicious party.
The digital signature alone does not verify the true identity of the sender and his public key, therefore, lacks authentication.
However, this issue is solved by a digital certificate. A digital certificate is an electronic credential issued by a Certification Authority.
The certification authority registers through a PKI the identity of the owner and also verifies that the owner actually owns the public key.
The digital certificate usually contains the owner’s name, public key, certification authority, and digital signature. This way, the risk of receiving a digital signature from a malicious party is significantly reduced.
How to Create a Digital Certificate?
Mainly there are two ways to create a digital certificate:
- You create a self-signed certificate.
- You request it from a Certification Authority (CA).
1. Self-signed certificate
There are several methods to create a self-signed certificate, but to understand the process, we will refer to the self-signed X509 certificate. You can create it all by yourself in OpenSSL.
Just open the command prompt and type in ‘openssl.’
Next, type in ‘OpenSSL req -x509 -days 365 -newkey rsa:2048 -keyout my-key.pem -out my-cert.pem’.
And while to some of you, this might look like gibberish, let’s see what all of that means:
- ‘Req’ means that it is a certificate request;
- ‘x509’ designates the type of certificate;
- ‘365’ indicates the number of days it will be valid;
- ‘newkey’ means that it will be a new certificate;
- ‘Keyout’ is going to be the key file.
After that, you will be able to create the private key and add identification information.
You can find a step-by-step guide here.
However, a self-signed digital certificate provides only encryption but no trust. Such a certificate is an easy target for hackers. They can replicate it and pretend to be the ‘issuer’ and start phishing for personal information.
As a matter of fact, websites that use self-signed SSL certificates are marked as ‘not trusted’ by internet browsers.
2. CA issued certificate
The digital certificate validated by a certification authority is the more trustworthy and safer method. It’s also easier to obtain, but it may imply a fee.
The certification authority usually requires a fee for issuing a certificate, and you can either request just their certificate or request them to handle all the PKI.
If you need a simple certificate, you can contact them by phone or email. They will verify your identity, then give you a certificate that should contain the public key, the certification authority’s identification, and the user’s identification.
Besides digital certification, you can ask some companies to handle all aspects of the PKI, access tokens, and multi-factor authentication for users, devices, and machines.
In the website’s case, the certificate signing request comes as a command with the webserver.
- A Digital Signature is an electronic verification of the sender. It relies on asymmetric encryption and uses a private key to encrypt the message and a public key to decrypt it.
- The content of the message is hashed to keep integrity. However, the hash is a one-way process and is used to validate that the content was not altered.
- The received message is decrypted with the public key, and the content’s hash has to match the hash value provided by the sender. Otherwise, the receiver has reason to believe the content was altered.
- A digital signature alone lacks authentication. Therefore, it needs to be backed by a digital certificate issued by a certification authority.