Securing Documents with Digital Signatures – Part 2

In the first part about digital signatures we dealt with the different forms of signatures and had taken up the question to what extent a document with a digital signature is legally valid. This second part deals with the underlying encryption technique.

In connection with a digital signature one often speaks of a so-called “key technology”. This PKI technology (Public Key Infrastructure) has certain requirements. These include a digital certificate from a certification authority (CA) as well as certain software and tools so that the certificates can be attached and managed. The Bundesnetzagentur (Germany) is responsible for the certification service providers.

The basis of this technique is the principle of cryptography. This works with checksums/encrypted hash values that can be correctly assigned, just like a fingerprint. The hash values thus guarantee the integrity of the data and offer protection against manipulation.

What is a cryptographic hash function?

Examples of cryptographic hash functions and cryptographic checksums are authentication procedures (such as the digital signature). Cryptographic hash functions are a subset of cryptography.

In the procedure with a cryptographic checksum (also hash), a character string (with a fixed length) is formed from data records of any length. This is often referred to as a “digital finder’s imprint”.

A distinction is made between keyless and key-dependent hash functions. The former has only one input value. Keyless hash functions are OWHF (One-Way Hash Function) or CRHF (Collision Resistant Hash Function). Key-dependent hash functions require a secret key as a second input value. These are called Message Authentication Codes (MAC) or HMAC, CBC-MAC or UMAC.

Not all hash values in themselves are automatically cryptographic hash functions. For this, certain requirements must be fulfilled, such as uniqueness (identical character string must always lead to the same hash value), reversibility (hash value cannot be recalculated back to the original character string) and collision resistance (different character strings never result in the same hash value). To satisfy cryptographic applications such as authentication and encryption, all of these requirements must be met.

What are the minimum requirements for cryptographic algorithms and for the generation of qualified electronic signatures?

The Federal Network Agency publishes the respective minimum requirements for electronic signatures. RSA, DSA and DSA variants based on elliptic curves (e.g. EC-DSA, EC-KDSA, EC-GDSA) are considered suitable digital signature procedures. Minimum lengths of the keys are specified for the procedures and certain requirements are placed on the parameters and the hash function.

Encryption technology for digital signatures

1. the documents to be backed up are stored in short form (hash value) – this procedure is not reversible.

2. then that value is encrypted and sent together with the document (that would be an electronic signature) – a key pair is formed, which consists of a private key and a public key. There is only one private key matching the public key.  – The background is a mathematical algorithm that functions like a cipher. The data generated is called a hash. With this action encrypted data are generated, that is the digital signature, which is also provided with a time stamp and is no longer changeable (then it would be invalid).

3. The public key is assigned to a person by means of an electronic certificate and the identity of the signature manufacturer is verified and unambiguously verified via the public directory of a certification provider. This is the condition for PKI. If a recipient receives a document that has been protected with a digital signature, he or she receives three components. The document, the signature (secured hash value) and the certificate. The recipient can then use the public key to recalculate the hash value. If the result matches the sent signature, this is proof that the sender and content are trustworthy. In this case, only the sender (who has the secret key) can have generated the signature. Otherwise, the public key would not match.

More information on generating digital signatures

More detailed information about signature application and signature generation at the BSI (Federal Office for Security and Information Technology in Germany).

Note: In our third part about digital signatures we will discuss how to create a digital signature with webPDF.