Talking technology – electronic signatures

As a source of potential confusion, we explain all you need to know about electronic signatures

Talking about technology can be confusing, because a term of reference can mean different things to different people, and different terms of reference can be used to describe the same thing. Take ‘electronic signatures’ and ‘digital signatures’. Some people use the terms to describe the same things and others use them to describe a variety of different things. Such is the potential for confusion, that many countries have been forced to give them legal definitions.

US law, for example, defines an electronic signature as ‘an electronic sound, symbol, or process, attached to – or logically associated with – a record and executed or adopted by a person with the intent to sign the record’. But this doesn’t do much to clarify, because the term can be used to describe so many things. You can use it to describe a digitised facsimile of a handwritten signature, an e-mail origination header, or even to refer to a security key that can be used to authenticate electronic communications. But in the latter ‘cryptographic’ context, the correct term of reference really ought to be digital signature.

Cryptography is all about hiding the meaning of messages, and a digital signature is part of a scheme designed to do just this, by simulating the security of a handwritten signature in digital form. It can be used with encrypted and unencrypted messages, so a digital signature can authenticate the identity of the sender of a message or the signer of a document, and possibly ensure that the original content of the message or document that has been sent is unchanged.

Digital and handwritten signatures are very different. Digital signatures use an algorithm to produce two different but mathematically related ‘keys’ for an individual; one public and one private. These are then used to encode (or scramble) and decode data. Messages generated using the private key can be decoded and read by anyone with access to the public key. Similarly, anyone with access to the public key can use it to send a message, but it can only be decoded and read by the holder of the private key.

To produce a digital signature for a message or document, software is used to produce a ‘message hash’ or mathematical summary based on the data. The key is then used to encrypt the hash, and the encrypted hash becomes your ‘digital signature’.

To further enhance the security of digital signatures, digital certificates are used to bind the key pairs together with a unique identity. In a public key infrastructure, certificates are issued by third parties, known as certificate authorities, and they are responsible for authenticating the identity of the certificate holder. But certificates can also be issued by someone in a private ‘web of trust’, so there is a hierarchy of certificates, and some rank higher up the trust scale than others – which can make differentiating between a digital signature and an electronic signature seem like child’s play.  

 

"Cryptography is all about hiding the meaning of messages, and a digital signature is part of a scheme designed to do just this, by simulating the security of a handwritten signature in digital form"