Skip to main content

Digital signatures and their part in securing our digital world

digital transformation
(Image credit: Image Credit: Konica Minolta Business Solutions UK )

How do you know that an email that you have received really comes from its reputed sender? You can check the address of course, but there are ways to spoof addresses. How does your bank know that a request from your banking app to transfer money to a payee really comes from you? Even the website that you are reading right now could have been copied, its URL subtly altered and links to the original article redirected to a ‘watering hole’ that could infect your system with malware.

You can find the answer to the last question yourself if you don’t already know it: on most browsers you’ll be able to find this site’s SSL certificate near the URL, which will give you its date, issuer, and the type of ‘Public Key’ being used to ensure that this certificate is authentic – 2048 bit RSA in this site’s case. You will also find a ‘Subject Key Identifier’, which for Itproportal is 43efdb2b2fe2cbfa8089e0548bde2c9e95c0ae9a at time of writing.

This forms part of the digital signature that ensures you that this site is authentic and that information sent to this site can be kept private. There are many other examples of these ‘digital signatures’ in use across the internet, often in ways that are completely invisible to users but vital to businesses. 

Here, we will be exploring what digital signatures are, how they are secured, how they are used and their future as one of the most vital elements of our increasingly digital society.

What are digital signatures?

The first point to make is that digital signatures are not electronic signatures used when filling in forms online, though electronic signatures are secured with digital signatures.

A digital signature can be anything used to verify the authenticity (whether a file came from the party who is reputed to have created it) and integrity (when a file has been altered and by who) of a piece of self-contained digital information, such as a document or an email. Although hypothetically digital signatures could use other types of encryption, the internet as it is today uses a technology known as asymmetrical encryption.

Say two people wanted to send each other a document. To verify that the document is real the sender and the recipient could send each other a password, but this would be easy to intercept. Instead, digital signatures use pairs of public and private keys – the public key encrypts the data, the private key can decrypt that data. When a new document is created it will have a public key like the hash above, which will be unique to that file. The hash and the file are encrypted with a private key that is much longer and more complex, and virtually impossible to derive from the public key. If any alterations are made to the file, it will change the hash and therefore existing keys won’t work so it is impossible to decrypt a document using an old key.

When two parties are sending information encrypted with asymmetric cryptography, they start by exchanging public keys. The sender will encrypt a document with the recipient’s public key, then send the document. Because only the holder of the private key can open the document it can be assured that the document is genuine and hasn’t been tampered with.

This method makes the idea of every file transmitted between two or more parties having a unique and verifiable digital signature possible.

How are they used?

Of course, the system above happens in the background during our work and private lives, and most of us will never have to think about how it enables digital trust, except on the rare occasion when we visit a website with an expired SSL certificate.

Rather than explaining what they do, it is easier to explain what could happen if digital signatures didn’t exist. A spoofed email address could send an invoice to a customer that reputedly comes from your company instructing them to pay a criminal’s bank account rather than your own. Documents could be edited with false information without there being any kind of paper trail. A huge admin burden would be placed on all businesses as they would have to verify the details of every piece of information sent to and from their companies. Auditing a company’s information and accounts would be nearly impossible as every piece of information would be suspect.

In a world facing serious, growing and ongoing cybersecurity problems (Infosecurity Magazine), where not even the government of the world’s most powerful country is safe (Infosecurity Magazine), the fact that we are still able to receive an email and trust that it came from the person or organization associated with that address is extremely important, and that trust can be largely attributed to the use of digital signatures.

What’s next for digital signatures?

The computing power that it would take to reliably derive a private key from a public key would be astronomical, so digital signatures as they are currently constituted will be secure for decades to come. The only potential problem would be the creation of Quantum Computing, which could be ‘a decade away’ (Fast Company), according to an expert from IBM. Hypothetically, this would allow encryption to be broken much faster, which is why the hardware security modules that power asymmetric cryptography are made to be safe against quantum encryption breaking, even when quantum computing hasn’t been invented yet.

Most of us will go through our lives without having to interact with, or even understand, what is happening behind the scenes to keep our data secure. For those of us who are entrusted with securing data online, it is vital to understand the methodology behind digital signatures and to use the very best hardware and software to keep those signatures safe.

Mario Galatovic, Vice President Products & Alliances, UTIMACO

Mario Galatovic is the Vice President Products & Alliances at UTIMACO, a global platform provider of trusted Cybersecurity and Compliance solutions and services ). Developing on-premises and cloud-based hardware security modules and key management solutions as well as compliance solutions for telecommunication providers in the field of regulation.