Simplified overview of how digital signatures work

Digital signatures require an asymmetric key pair that consists of a public key and a private key.

These keys are large numbers that are mathematically related. These keys are used to encrypt and decrypt documents. The private key is kept confidential with the owner. It is usually stored on secure media, such as a crypto smart card or a crypto token. The public key is shared with everyone.

To digitally sign an electronic document, senders use their private key (encryption). To verify the digital signature, the recipients use the sender’s public key (decryption).

This diagram shows how digital signatures ensure authenticity, integrity and non- repudiability:

Example

This simplified example shows how the concept of digital signatures works.

You want to send a contract to a business partner. You want to give your business partner this assurance:

  • The contract has not been changed during transmission.
  • The contract originates from you.
  • The contract is sent at a certain moment in time.

To create the contract so that it holds a digital signature:

  1. Create a contract in LN.
  2. Print the contract to get the electronic form of the contract as a document, for example as a PDF file.
  3. Use special software to create a message digest, also known as ‘hash’, of the contract.
  4. Use your private key to encrypt the message digest.
  5. The encrypted message digest becomes your digital signature of the contract and is appended to the contract
  6. Optionally, also your Digital Signature Certificate (DSC) is appended to the contract for your business partner to speed up the validation of the contract.

At the other end, your business partner receives the contract, for example through an email message:

  1. To validate that the contract is intact and originates from you, your business partner generates a message digest of the received contract.
  2. Your business partner uses your public key to decrypt the digital signature that was received with the contract. The public key is obtained from the embedded DSC or through the public channels.
  3. If the message digest that is generated from the digital signature matches the message digest that was generated in step 1, the integrity of the received contract is verified.

Message digest

A message digest is also known as the hash of a message. This is a small piece of data that is generated when a specific mathematical calculation, a hashing function, is applied on that message.

Message digests have these important characteristics:

  • A small alteration in the original message causes a big change in the message digest.
  • You cannot derive the original message from the message digest. The message digest that is produced from these functions is a fixed length bit string. The widely used SHA -1 message digest function: generates a 160-bit message digest. The SHA-2 function generates a 256-bit message digest as output.
Related topics