A digital signature helps you prove something (such as an email, file or executable) is legitimate and not fake. We’ll break down how digital signatures work to protect your organization’s communications, data and software integrity
Netskope’s July 2021 data shows that malware delivered via the cloud has reached new record-setting levels. So, what are the two biggest culprits in terms of facilitating malware downloads? Cloud storage apps (66.4%) and malicious Office files (43%).
In a time when we’re dealing with astronomical levels of phishing and cyber scams, being able to verify someone (or something such as an email or a software update) is legitimate is crucial. Public key signatures — or what are known as PKI digital signatures — are one such tool in your arsenal to battle cybercriminals’ evolving scam tactics.
Now, we’re not going to get into the technical details of what a public key signature is or why PKI signatures matter to your business. (We recently covered that information in another article, which we’ve linked to in the previous sentence.) Here’s a quick overview and then we’ll jump straight into talking about how digital signatures work:
- A digital signature is a type of electronic signature that binds your digital identity to a piece of data (i.e., a PKI digital certificate and a cryptographic key).
- Digital signatures are created using cryptographic techniques that are supported by public key infrastructure.
- Your digital signature can be applied to everything from software executables and Microsoft Office files to emails and even website connections.
- Digitally signing files and software identifies you (authentication) and helps you assert your identity in a way that ensures no one can say it wasn’t you (non-reputation).
- Adding a digital signature helps to protect the integrity of your files and data by providing a way for users to verify whether it’s been altered since you signed it.
Got that? Good. Now that we know what a PKI signature is and why it matters, let’s answer the question that you came here for: how do digital signatures work?
Let’s hash it out.
How Do Digital Signatures Work? A Brief Overview
In a nutshell, a digital signature works by serving as an irrefutable piece of data that proves your digital identity and the authenticity of your communication. In other words, it proves:
- The digital identity of the author (of the email, file, or other item in question), and
- The authenticity of the communication (i.e., that the email, file, or software hasn’t been tampered with since the author signed it).
Digital signatures can be easily verified by the recipients’ computers or servers, and they cannot be faked by hackers.
Digital signatures are a key component of various types of PKI digital certificates. As a quick example, take a look at the certificate chain of trust for SSL/TLS certificates. The SSL/TLS certificate for the domain TheSSLStore.com uses a digital signature to prove that it’s a valid certificate that was issued by a legitimate certificate authority (i.e., DigiCert). The domain’s certificate was digitally signed by the DigiCert SHA2 Extended Validation Server CA, which is signed by DigiCert’s High Assurance EV Root CA.
But how does all this work? Since this topic can get pretty technical, we’re going to start with a quick (general) overview of how digital signing works before getting into the heavy stuff for our more technical readers.
For example, you can use a document signing certificate to sign Microsoft Office files and PDFs. Let’s quickly explore what happens is this basic process:
- Take the file that you want to digitally sign and apply a hashing algorithm to it. This part of the digital signature process involves generating a hash value (i.e., an output that’s a fixed-length string of characters) to uniquely identify the file. You can create a hash digest from a file, but you can’t create a file from the hash value.
- Use your document signing certificate’s cryptographic private key to encrypt that hash value. This generates your digital signature, which can also include a timestamp that shows the precise date and time when you digitally signed the file.
- Send your public key and certificate along with the digitally signed file to your recipient. Because cryptographic keys come in pairs, your email recipient can use your public key to verify the digital signature. Your computer will then generate a hash digest and compare this hash value against the hash value in the signature. This allows you to know that the file is authentic and hasn’t been altered since you signed it. (If the file was changed, the hash value would change also.)
I know, that’s a lot of “hash value” this and “digital certificate” that to follow… we’ll speak more about each of those components momentarily. But first, let’s consider a quick analogy to help you understand what a digital signature does in terms of data integrity and identity assurance…
A Digital Signature Is Like Your Driver License’s Security Measures
Using a digital signature to sign your files or software is akin to the fraud protection measures you’ll find on a driver’s license or ID card here in the U.S. This component affirms that this piece of identification was issued by an authority (i.e., your state’s Department of Motor Vehicles) and that it’s authentic.
If you have this card, other parties who don’t know you personally can trust that your identity is legitimate. Why? Because they know that you had to provide several pieces of verifying information to prove your identity before the DMV would issue the card.
These ID cards contain informational and visual components that help you verify the authenticity of your identity, including:
- Your full legal name,
- Physical identifying information (photograph, date of birth, and height),
- Your verifiable residential address,
- The driver’s license number that’s unique to you,
- A card issuance date and expiration date, and
- Security markers (holographic components, ultraviolet ink, etc.).
If you have an ID card that is missing any of this information or doesn’t feature the fraud protection measures, you know that the ID may not be authentic and can’t be trusted.
The big takeaway here is that a digital signature allows the other party you’re communicating with (or the person who downloads your software or files) to know that it’s legitimate and hasn’t been modified without your knowledge or approval.
Now, Let’s Take a Look at the Components Involved in Digital Signatures…
Now that we have a general understanding of how digital signatures work, it’s time to familiarize ourselves with the components that are central to the digital signature process.
- PKI digital certificate — This small digital file serves as your digital identifier and carries verified organizational information relating to a cryptographic key (which we’ll also discuss momentarily). PKI digital certificates come in multiple forms that serve different purposes:
- Website security certificate (SSL/TLS certificate):This is the type of certificate that you use to assert your organizational identity on servers, websites, and web apps. It also helps you secure your data and connections using encryption.
- Document signing certificate: This certificate allows you to digitally sign your documents to ensure users that your file is legitimate and hasn’t been modified in any way. These certificates are offered as individual validation and organizational validation options. Some document signing certificates, such as those offered by DigiCert, offer two-factor authentication. This provides an added layer of security by requiring you to enter a password and use a USB token to prove your identity when digitally signing a file.
- Code signing certificate: A code signing certificate is a nifty file that enables you to digitally sign your software, scripts, and other executables. Why? So, people know that the software — or any updates you release — were created by you and not some schmuck who wants to infect their device with malware.
- Email signing certificate (S/MIME certificate): This type of PKI digital certificate allows you to digitally sign your emails while also offering the additional benefit of encrypting sensitive emails. For this to work, both you and your recipient must use email signing certificates, and you’ll use the recipient’s public key to encrypt the message, which they’ll decrypt using their corresponding private key.
- Cryptographic keys (public and private) — Every key pair, which contains a public and a private key, is tied to your digital identity. Both keys are unique strings of characters that allow you to perform cryptographic functions like encryption, hashing, etc. The private key is one you keep to yourself (secret), whereas the public key is something that you’ll give to other parties (i.e., it’s available to virtually everyone) as it’s included in your digital certificate.
- Encryption — Encryption is a two-way cryptographic process that takes plaintext data (i.e., readable information) and uses a key to scramble it into an unrecognizable form. This process protects data by ensuring that only authorized users (i.e., the person with the decryption key) can decrypt and access that information. Even if someone gains access to encrypted data, they can’t do anything with it without that secret key.
- Hash algorithm — A hash algorithm, or what’s also known as a hash function, is a type of mathematical equation that takes your input data and maps it to a data string of a specific length. Hashing is a cryptographic process that’s often confused with encryption. Unlike encryption, hashing is a one-way function, meaning that you can use it to generate a hash value, but it’s infeasible to use that hash value to reverse engineer it to get the original input. (Encryption, on the other hand, is meant to be reversed using the secret decryption key.) Examples of common hashing algorithms include MD5, SHA-256, and SHA-384.
- Hash value — This is a fixed-length string of characters that you generate by applying a hashing algorithm to the file or communication you digitally sign. For example, the single word “boomerang” would generate a hash value of the same length as all the text from the Lord of the Rings book series combined.
How Digital Signatures Work: Exploring the Signing & Verification Processes In Depth
The digital signing process is a mix of cryptographic functions. In this case, it uses both hashing and encryption as part of the process to help you protect the integrity of the data and assert your organization’s identity in a way that your recipient can verify.
As mentioned earlier, digital signatures can be applied to email communications, code for executables and software, and various types of files (such as PDFs and Office files). Let’s say you need to generate a contract for a new customer and want to have a way to prove that you created the document and that it’s authentic. We already briefly touched on the digital signing process earlier in this article, but now, it’s time to look at its specifics more in depth.
For this example, we’ll explore how to digitally sign a PDF file. After that, we’ll break down how to verify that the signature is legitimate and that the file hasn’t been modified since you signed it. (Note: The first three steps apply to you as the file creator. Steps four and five really apply to the person who downloads your file and needs to verify its authenticity.)
Step One: Create the PDF File You Want to Sign
You can’t digitally sign something without first creating it. Create that communication or document first and ensure that it’s in tip-top shape. (After all, once you sign the document, you can’t make any changes without having to re-sign the file because) once that’s ready to go, move on to step two.
Step Two: Apply Your Digital Signature to Your Files or Communications
For this part of the process, you’ll take the PDF file that you wish to digitally sign (input) and apply a hashing algorithm to it. For example, you could use the SHA-256 hashing algorithm for this task, which will generate a hash value (output) of 256 bits. This will be visually represented by a fixed-length string of 64 hexadecimal characters.
Of course, the cryptographic processes occur in the background when you’re signing PDFs in Adobe. It’s kind of like the process of how sausages are made — you don’t necessarily need to see the process to know that the results are good. (Then again, using that analogy, it’s often better to NOT see the process so you can continue enjoying the taste of the sausage without thinking about what went into making it!)
Here’s an example of what a PDF digital signature looks like in Adobe Acrobat:
Here’s a quick screenshot as well of the certificate details information, which shows that the certificate is intended to serve as means for adding a digital signature.
But if you’re curious as to what this type of process looks like, here are the steps that happen behind the scenes. Let’s consider an example of how this would work in Windows PowerShell. Say, you apply a hash function such as a SHA-256 to your PDF file. This will result in it spitting out a random hash digest like the following:
To generate your hash value using the SHA-256 hashing algorithm, use the command illustrated above:
get-filehash -algorithm SHA256 [file-you-want-to-hash]
Step Three: Encrypt the Hash Value Using Your Private Key
Next comes the fun part, which requires the use of a PKI document signing certificate and its corresponding cryptographic keys. Once you’ve generated the hash value of your PDF file, you’ll want to use your private key to encrypt the hash value. This process creates your PKI digital signature, which ensures the integrity of your file.
Remember the example diagram we shared earlier? Here’s a basic illustration of how this process looks by building upon that process from earlier:
That’s it for the digital signing process itself. Once these two steps are complete and you have your digitally signed PDF file, you can put the document to use however you planned. For example, when you send the file to your customer, you’ll include with it a copy of your public key, which will come in handy for them in the next steps.
Now, let’s explore how your recipient can use this digital signature to verify your identity and the file’s authenticity.
Step Four: Decrypt the Hash Value of the Encrypted File or Email
Now, this next part happens partially on the backend, out of the view of the user who receives the file. When they download or receive your digitally signed PDF file, their server will also receive your document signing certificate’s public key. They can use this key to decrypt the digital signature to gain access to your document’s hash value. This brings us to our next step…
Step Five: Generate a New Hash Value & Compare It to the Hash Value from the Document
Alright, this last section will talk about how to check whether the file’s hash value is legitimate. When you digitally sign your PDF using Adobe, this process occurs in the background. But if you were to do this process manually, it would involve generating a hash value of the file and comparing it to the file’s known hash value.
Many companies often provide file checksum information on their website. Users can use this information in the next step that involves comparing the hash value they generate to the one the company provides.
How to Check a File’s Checksum Manually Using Windows PowerShell
If you’re one of those do-it-yourself types or someone who doesn’t trust the automated process, no worries. You can check the hash value yourself. To check the hash value of your file against the known hash digest, use the following command in Windows PowerShell:
certutil -hashfile [file-you-want-to-check] [hash algorithm]
It’ll look something like the following example, which confirms that the hash value is the same as the one used in our example in step two:
Check out this quick how-to video that will walk you through the process in Windows PowerShell:
What Happens If the Hashes Don’t Match?
Now, if one or both of these results fail — for example, the hash value you generate doesn’t match the known hash value of the file — then it means that the file integrity hasn’t been proven. This will trigger an error message that basically warns you that the file may be compromised. So, if you decide to trust that file after receiving that message, you’re doing so at your own risk.
What a Digitally Signed File Looks Like
Below, you’ll find a couple of quick examples of information you’ll see when you receive a digitally signed PDF. (Thanks to our friends at DigiCert for providing these example graphics!):
Final Thoughts on How Digital Signatures Work & How They Help Your Business
We hope that this article has sufficiently answered your question, “how do digital signatures work?” To quickly summarize:
- Digital signatures are a way for you to assert your individual or organizational digital identity and ensure file integrity.
- These types of electronic signatures have many applications, including being applied to emails, files, and software.
- Digital signatures — and the verification of these security attributes — are possible thanks to digital certificates, cryptographic keys, and the public key infrastructure that supports them.
Needless to say, whether you’re looking to protect the integrity of your software, provide assurance to customers that your invoices are legitimate, digital signatures are playing an increasingly important role in digital security.