When it comes to implementing eSignatures, the benefits over paper-based, wet-ink signatures tend to be obvious- decreased operating costs, reduced paper wastage, speeding up document signing and delivery, and eliminating wastage of time.
A digital signature website can help your business eliminate many of the challenges that are witnessed in the typical paper document signing processes.
That being said, it is also important for organizations to understand what goes behind the scenes when adopting digital signatures including the application process and the verification.
Applying the Signature
When you are using digital signature solutions, you will find the session where you are asked to click ‘sign’. When you tap that button, there is a unique digital fingerprint known as a hash created for the document. A hash is created using an algorithm and it’s specific to the particular document you are signing. What this means is that a slight change in the document would lead to a different hash.
Once the hash has been created, it is encrypted using what is referred to as the private key of the signer. It is the signer’s public key along with the encrypted hash of the particular document that is combined to form what is known as a digital signature. This digital signature is then appended on the document.
With the digital signature on the document, you have a document that is digitally signed and is ready for distribution.
Verification of the Signature
In using a digital signature app, when you send a document to a signer to sign, they will open it. It may also be you who opens the documents. When you open the doc using a program that is digital signature-capable like Adobe Reader or Microsoft Office, the program will automatically use the public key of the signer that was added into the digital signature along with the document to be able to decrypt the hash of the doc. The program you are using to open or read the document will calculate a new hash intended for the same document. In the event that a new hash matches the hash that was decrypted, the program will know that the doc was not altered and it will display messages like, “The doc hasn’t been modified from the time the signature was applied.”
Also, the program validates the documents to see if the public key that has been used in the signature is for the signer and at that point, the program will display the name of the signer.
The technology of digital signature allows the person who receives a signed document to verify the real origin and integrity. One of the reasons why digital signature verification is done is to ascertain whether a given message or document has been signed by a private key corresponding to a specific public key. What you should know is that digital signature verification is not capable of ascertaining if a particular message is signed by a particular person.
In case, you want to check if a certain individual signed a given message or document, you will need to get the person’s public key. This may be possible by having the public key stored in a secure way for example, on a CD, flash disk, or other storage media. Another way to confirm the person who signed the document or message is with the help of what is known as the Public Key Infrastructure (PKI) using a digital cert. Without a secure way of obtaining the real public key of a particular person, it is impossible to check if a particular message or doc has been signed by that person.
There are three steps involved in verifying digital signatures:
1. Calculating the current hash-value
In this step, a hash-value of a signed message will be calculated. In this calculation, the same hashing algorithm is applied as was applied in the signing process. In the calculation, the obtained hash-value is referred to as the current hash-value since it is calculated based on the current state of the document or message.
2. Calculating original hash-value
During the second step of the verification process, the decryption of the digital signatures occurs using the same encryption algorithm that had been applied at the time of signing the document. The decryption will be done by corresponding or matching the public key to the private key that was used at the time of signing the document. This leads to an original hash-value calculated from the initial document during the initial step of the document signing. The initial step is known as the original message digests.
3. Comparing current and original hash-values
During the third step of the verification process of digital signatures, you compare the present hash-value that was obtained within the first step of signing the document with the original hash-value that was calculated or obtained in the second step. When the two values correspond or they appear identical, the verification is successful. This proves that the document or message has been signed using the private key corresponding to the public key utilized in the verification process. In case the two values appear to be different, it means that the digital signature is invalidated and the verification is considered not successful.
There are many reasons why you could have invalid signatures. For example, if the digital signature has been adulterated or it’s not real, and you use a public key to decrypt it, it means the obtained original value is not going to be the original hash-value intended for the original message. It will be some other value. An invalid signature may also occur if the message has been changed since it was signed meaning the current hash-value that has been calculated from the changed message is going to vary from the original hash-value. This is because the two different messages or documents correspond to two different hash-values.
In order to avoid these problems when using online electronic signature software, when a signed document is transmitted or sent to another person, the certificate of the person who has signed the document is also sent or forwarded along with the document as well as the corresponding or applicable digital signature.