What is Digital Signature

A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document. As the digital equivalent of a handwritten signature or stamped seal, a digital signature offers far more inherent security, and it is intended to solve the problem of tampering and impersonation in digital communications. Digital signatures can provide the added assurances of evidence of origin, identity and status of an electronic document, transaction or message and can acknowledge informed consent by the signer.

In many countries, including the United States, digital signatures are considered legally binding in the same way as traditional document signatures.

How digital signatures work

Digital signatures are based on public key cryptography, also known as asymmetric cryptography. Using a public key algorithm, such as RSA, one can generate two keys that are mathematically linked: one private and one public. (for more on Digital signatures work because public key cryptography depends on two mutually authenticating cryptographic keys. The individual who is creating the digital signature uses their own private key to encrypt signature-related data; the only way to decrypt that data is with the signer’s public key. This is how digital signatures are authenticated.

Digital signature technology requires all the parties to trust that the individual creating the signature has been able to keep their own private key secret. If someone else has access to the signer’s private key, that party could create fraudulent digital signatures in the name of the private key holder.

How to create a digital signature

To create a digital signature, signing software — such as an email program — creates a one-way hash of the electronic data to be signed. The private key is then used to encrypt the hash. The encrypted hash — along with other information, such as the hashing algorithm — is the digital signature.

The reason for encrypting the hash instead of the entire message or document is that a hash function can convert an arbitrary input into a fixed length value, which is usually much shorter. This saves time as hashing is much faster than signing. The value of a hash is unique to the hashed data. Any change in the data, even a change in a single character, will result in a different value. This attribute enables others to validate the integrity of the data by using the signer’s public key to decrypt the hash.

If the decrypted hash matches a second computed hash of the same data, it proves that the data hasn’t changed since it was signed. If the two hashes don’t match, the data has either been tampered with in some way — integrity — or the signature was created with a private key that doesn’t correspond to the public key presented by the signer — authentication.

A digital signature can be used with any kind of message — whether it is encrypted or not — simply so the receiver can be sure of the sender’s identity and that the message arrived intact. Digital signatures make it difficult for the signer to deny having signed something — assuming their private key has not been compromised — as the digital signature is unique to both the document and the signer and it binds them together. This property is called nonrepudiation.

Digital signatures are not to be confused with digital certificates. A digital certificate, an electronic document that contains the digital signature of the issuing certificate authority, binds together a public key with an identity and can be used to verify that a public key belongs to a particular person or entity.

Most modern email programs support the use of digital signatures and digital certificates, making it easy to sign any outgoing emails and validate digitally signed incoming messages. Digital signatures are also used extensively to provide proof of authenticity, data integrity and nonrepudiation of communications and transactions conducted over the internet.

Classes of digital signatures

There are three different classes of Digital Signature Certificates:

Class 1: Cannot be used for legal business documents as they are validated based only on an email ID and username. Class 1 signatures provide a basic level of security and are used in environments with a low risk of data compromise.
Class 2: Often used for e-filing of tax documents, including income tax returns and Goods and Services Tax (GST) returns. Class 2 digital signatures authenticate a signee’s identity against a pre-verified database. Class 2 digital signatures are used in environments where the risks and consequences of data compromise are moderate.
Class 3: The highest level of digital signatures. Class 3 signatures require a person or organization to present in front of a certifying authority to prove their identity before signing. Class 3 digital signatures are used for e-auctions, e-tendering, e-ticketing, court filings and in other environments where threats to data or the consequences of a security failure are high.

Uses of digital signatures

Industries use digital signature technology to streamline processes and improve document integrity. Industries that use digital signatures include:

Government – The U.S. Government Publishing Office publishes electronic versions of budgets, public and private laws and congressional bills with digital signatures. Digital signatures are used by governments worldwide for a variety of uses, including processing tax returns, verifying business-to-government (B2G) transactions, ratifying laws and managing contracts. Most government entities must adhere to strict laws, regulations and standards when using digital signatures.

Healthcare – Digital signatures are used in the healthcare industry to improve the efficiency of treatment and administrative processes, to strengthen data security, for e-prescribing and hospital admissions. The use of digital signatures in healthcare must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Manufacturing – Manufacturing companies use digital signatures to speed up processes, including product design, quality assurance (QA), manufacturing enhancements, marketing and sales. The use of digital signatures in manufacturing is governed by the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST) Digital Manufacturing Certificate (DMC).

Financial services – The U.S. financial sector uses digital signatures for contracts, paperless banking, loan processing, insurance documentation, mortgages, and more. This heavily regulated sector uses digital signatures with careful attention to the regulations and guidance put forth by the Electronic Signatures in Global and National Commerce Act (E-Sign Act), state UETA regulations, the Consumer Financial Protection Bureau (CFPB) and the Federal Financial Institutions Examination Council (FFIEC).

General Security Principle: Introduction

A principle which is a core obligation of information security for the safe utilization, flow, and storage of information is the CIA triad. CIA stands for confidentiality, integrity, and availability and these are the three main objectives of information security. For a deeper look into these objectives, check out our security training classes.

The Application Access Layer defines the notion that access to end-user applications have to be constrained to business ought-to-know
The Infrastructure Access Layer describes the notion that access to infrastructure components has to be constrained to business ought-to-know. For instance, access to servers.
The Physical Access Layer describes the notion that the physical access to any system, server, computer, data centre, or another physical object storing confidential information has to be constrained to business ought-to-know.
The Data In Motion Layer describes the notion that data ought to be secured while in motion.
This little icon in the middle of the illustration shows the centre of information security and the reason for the emergence of the CIA principles; the icon represents information and represents the need to protect sensitive information.

Confidentiality

The aim of confidentiality is to ensure that information is hidden from people unlawful to access it. The confidentiality principle dictates that information should solely be viewed by people with appropriate and correct privileges. The science (and art) used to ensure data confidentiality is cryptography, which involves encryption and decryption methods.

Confidentiality can be easily breached so each employee in an organization or company should be aware of his responsibilities in maintaining confidentiality of the information delegated to him for the exercise of his duties. For instance, if an employee allows someone to take a glimpse of his computer screen while he is, at that moment, displaying confidential information on the computer screen may have already constituted a breach of confidentiality.

Furthermore, confidentiality and privacy are often used interchangeably. Below, we discuss cryptography, operative manners of protecting confidentiality, and we have included some tips on confidentiality agreements.

Cryptography

Cryptography’s beginning can be traced thousands of years ago. However, the contemporary cryptography differs substantially from the classic one, which used pen and paper for encryption and which was far less complex. The establishment of the Enigma rotor machine and the subsequent emergence of electronics and computing enabled the usage of much more elaborate schemes and allowed confidentiality to be protected much more effectively.

Encryption is an accepted and effective way of protecting data in transit but is increasingly being used for protecting data at rest as well. The Computer Security Institute published the results of a survey in 2007, which showed that 71% of the businesses used encryption for various data in transit while 53% used encryption for selections of data at rest. Furthermore, there are different techniques for preserving confidentiality depending on whether the data is in motion, at rest or a physical object. Naturally, access controls are also a necessity for maintaining confidentiality. Access controls can consist of passwords, biometrics, or a mixture of both. As regards to physical data, its means of protection are somewhat similar – access to the area where the information is kept may be granted only with the proper badge or any different form of authorization, it can be physically locked in a safe or a file cabinet, there could be access controls, cameras, security, etc.

Encryption consists of changing the data located in files into unreadable bits of characters unless a key to decode the file is provided. In manual encryption, the user utilizes software and initiates the encryption. In transparent encryption, the encryption happens automatically without any intervention on the side of the user.

Symmetric encryption occurs by utilizing character substitution with a key that will be the only means of decrypting the bits of information. Conversely, asymmetric encryption is used when there are two keys, a public key, and a private key. Any person may encrypt the information with the public key but it can only be decrypted by the holder of the private key.

Watch this space for more information on this topic!

Symmetric Vs Asymmetric Encryption

It’s important to first understand encryption before we get into the main topics of this piece. Encryption is a method or mechanism that empowers you to hide your message or data in a way that only the sanctioned people can access. The origins of encryption can be traced back to the times of the great Julius Caesar. Caesar used this method to send his private/ confidential messages. Caesar’s method, normally known as Caesar’s Cipher is one of the most unpretentious methods of encryption. Compared to it, today’s encryption systems are much more complex and advanced. Today, extremely complex algorithms are employed to convert practical information into an unintelligible format.

Once encrypted, the message/data can only be decrypted using the proper keys, known as ‘Cryptographic Keys’. Basically, a cryptographic key is a password that is used to encrypt and decrypt information. There are two types of cryptographic keys, and they are, Symmetric Key and an Asymmetric Key.

Symmetric Encryption:

Symmetric encryption is a traditional process of Encryption. It is also the simplest of two techniques. Symmetric encryption is accomplished by means of only one secret key known as ‘Symmetric Key’ that is owned by both parties. This key is functional to encode and decode the information. The sender uses this key before sending the message and the receiver uses it to decrypt the encoded message.

This is a pretty straightforward method and as a result, it doesn’t take much time. When it comes to moving huge data, symmetrical keys are favoured. Caesar’s Cipher happens to be a good example of symmetric encryption. Modern tactics of symmetric encryption are implemented using algorithms such as RC4, AES, DES, 3DES, QUAD, Blowfish etc.

The most common form of symmetric encryption comes once an encoded connection has been negotiated between a client and a server with an SSL certificate installed. Once the connection is transferred, two 256-bit session keys are created and traded so that encrypted communiqué can ensue.

Asymmetric Encryption:

Asymmetric Encryption is a comparatively new and complex mode of Encryption. Complex because it includes two cryptographic keys to contrivance data security. These keys are called a Public Key and a Private Key. The Public key, as the name suggests, is available to everyone who needs to send a message. On the other hand, the private key is kept at a secure place by the owner of the public key.

The public key encrypts the data to be sent. It uses a specific algorithm in doing so. Whereas, the private key, which is in proprietorship of the receiver, decrypts it. The Same algorithm is behind both these processes.

The contribution of two keys makes Asymmetric Encryption a complex technique. Thus, it proves to be enormously beneficial in terms of data security. Diffie-Hellman and RSA algorithm are the most extensively used algorithms for Asymmetric Encryption.

The piece has covered some of the most fundamentals of symmetric and asymmetric encryption in a very simple and abstract way. Please comment your thoughts or doubts down below.