How to sign something digitally

Maybe sometimes you might wondering what happen when you eSign something digitally. Let’s hack into it and uncover what is happening.

There are few models that we can use to sign a electronic document electronically.

1. Public Key Infrastructure(PKI): PKI provides the underlying structure and framework for managing digital certificates, public and private key pairs, and other security-related elements necessary for secure communication, authentication, and digital signature validation.
   This is the most popular model.
2. Web of Trust (WoT): This model, popularized by Pretty Good Privacy (PGP), relies on a decentralized approach to verify the authenticity of public keys. Instead of centralized certificate authorities, individuals validate each other’s keys by signing them. The trust in a particular key grows as more people sign it, forming a web of trust.
3. Identity-Based Encryption (IBE): Unlike PKI, which requires certificates, IBE uses identifiable information such as email addresses or user IDs as public keys. A trusted third party generates private keys based on this identifying information.
4. Attribute-Based Encryption (ABE): ABE allows encryption and decryption based on specific attributes or policies rather than relying solely on keys. It enables access control based on attributes associated with users or data.
5. Direct Anonymous Attestation (DAA): Primarily used in digital rights management and anonymous authentication scenarios, DAA allows a device to prove its identity or properties without revealing its exact identity.
6. Blockchain-Based Identity Models: Blockchain technology offers decentralized and tamper-resistant identity verification. Self-sovereign identity models utilize blockchain for secure, user-controlled digital identities.

Since PKI is the most popular among all above, lets dive into it first.

PKI model:

There are plenty of new terms that you might likely not knowing but you should when roaming around this side of the world. Below is something striped from the minimal version of that.

© DSS documentation

Concepts that you should know about the above process is, When you are signing a document it has to be modified by adding some extra data into it along with some metadata too to verify when you sign.

In real world, it is legal to say a document is signed and valid if someone else also sign and verified that original signature of your, when you are signing something on a paper. Second or(and) third person will act as the authority to verify it.

Below are the steps we follow when we are doing the same above example in digital world by following PKI model.

1. Preparation:

Document Creation: A document is created in a PDF format that needs to be signed electronically.

2. Signature Creation Process:

1. Hashing: The document’s content is hashed using a cryptographic hash function (like SHA-256). This generates a fixed-length string of characters unique to the document’s content.
2. Private Key: The signer uses their private key to create a digital signature. The private key is part of their digital certificate issued by a Certificate Authority (CA) in compliance with DSS.
3. Signing: The hash value is encrypted with the signer’s private key, creating the digital signature. This signature is unique to both the document content and the signer.

3. Embedding the Signature:

1. Signature Embedding: The digital signature is embedded within the PDF document, usually in a designated signature field. This includes the signature itself, signer’s information, timestamp, and certificate details.

4. Verification Process:

1. Document Retrieval: The signed document is opened by a recipient or verifier.
2. Signature Extraction: The digital signature is extracted from the document.
3. Hash Recalculation: The original document content is hashed again using the same algorithm used during signing (e.g., SHA-256).
4. Public Key Retrieval: The signer’s public key, usually included in their digital certificate, is retrieved. This certificate might be obtained from a trusted repository or through the document’s embedded information.
5. Decryption: The extracted signature is decrypted using the signer’s public key, which yields the original hash value.
6. Comparison: The recalculated hash from the document content is compared to the decrypted hash obtained from the signature. If they match, the document is unaltered, and the signature is considered valid. Otherwise, it indicates potential tampering or forgery.

Visualize the flow using the below sketch:

© signNow

Glossary:

DSS:

DSS (Digital Signature Services) is an open-source software library for electronic signature creation and validation.
DSS supports the creation and verification of interoperable and secure electronic signatures in line with European legislation.

SCD:

Signature Creation Device. There are plenty of authorised organisations/companies who are eligible with SCD.

Certificate Authority (CA):

A trusted entity responsible for issuing digital certificates.
CAs verify the identity of individuals or entities and bind their public keys to their identities through digital certificates.