Entrust Resources

Digital Signatures

How do they work?

A digital signature can be thought of as a numerical value, represented as a sequence of characters, and computed using a mathematical formula. The formula depends on two inputs: the sequence of characters representing the electronic data to be signed, and a secret number referred to as a signature private key, associated with the signing party and which only that party has access to. (A matching public key, which can be published for everyone to see like a phone number in a phone directory, allows signature verification.) The resulting computed value, representing the digital signature, is then attached to the electronic data just as a paper signature becomes part of a paper document.

This has two critical results:

1. The digital signature can be uniquely associated with the exact document signed, because the first input is the precise sequence of characters representing that data.
2. The signature can be uniquely associated with the signing individual, because the second input is the private key that only that individual controls.

Verifying the authenticity of a digital signature also relies on a formula. Here the formula depends on three inputs: the sequence of characters representing the supposedly originally signed electronic data, the public key of the signing party, and the value representing the supposedly authentic digital signature. The formula produces as output a simple answer: yes or no. 'Yes' signifies that the digital signature is indeed an authentic digital signature on the presented electronic data, and associated with the party linked to the public key used.

The Process of Creating a Digital Signature includes:

1. capturing the entire context of the electronic transaction or document, and precisely what the signer is committing to;
2. ensuring that the data displayed to the user accurately reflects the data to be digitally signed;
3. requiring the user to signal an understanding of the commitment being made, and a desire to be bound to this;
4. authenticating the user in order that the user's private key becomes available to the signing device;
5. computing the signature based on the signer's private key and the data being signed;
6. a timestamp server optionally appending a time-date field to the data and signer's signature and then signing; and
7. forwarding the signed transaction for processing, storage, or subsequent verification.