How Digital Signatures Work – Under the Hood

Posted by Steve Gottwals, Technical Director of Security Solutions, Adobe Systems Federal

A digital signature employs cryptography to provide two main information security capabilities:

Here is an example of what a digital signature can look like, as represented by Adobe Acrobat and Reader.


http://blogs.adobe.com/adobeingovernment/files/2016/11/Picture1-1.png

In this example, we know that the document has been signed by Steven Gottwals (me), and that it has not been tampered with since the signature was applied.

Applying digital signatures in Adobe Acrobat and Reader is easy and takes only a few seconds, as shared in our latest post and video.

Under the hood, however, it’s a bit more complex.

Digital signatures are embedded encryption codes. Specifically, they are hashes (a bunch of ones and zeros) encrypted with the sender’s private key.

Signature algorithms are used with a one-way hash function, for example SHA-256. The data to be signed (e.g. the one-way hash function output value) is given to the signature algorithm, along with a private key, to create the digital signature output (the signed hash).

Here’s a diagram of how it all works:


http://blogs.adobe.com/adobeingovernment/files/2016/11/Picture1-2.png

Let’s take a real life example, and see what happens behind the scenes in every step.


http://blogs.adobe.com/adobeingovernment/files/2016/11/Picture1-3.png

Both parties are assured the agreement is not tampered with since it was signed, and that a trusted source is signing the document.

Although this process may seem complex, from the user’s perspective, everything happens in seconds.

Where Do We Experience Digital Signatures Today?

We can encounter digital signatures in many forms. Sometimes it’s very visible, and other times, the technology is more hidden.

Some examples:

HTTPS: For secure browsers, digital signatures are the definitive source of trust. Are you really on your bank’s website? Or, are you being phished by a fraudster?

Code: Digitally signed code allows for the verification of its authenticity and integrity. Is the code you’re about to run really from the vendor you think it’s from? Has it been altered?

PDF: Like websites or code, authenticity and integrity can be imparted to digital documents. Is this contract from my business partner? Have any dollar amounts been altered?

What’s Next for Digital Signatures

A quick history 101 on digital signatures: it all started in the 70’s when public key cryptography was developed. This capability relied on the fact that cryptography works with pairs of keys. When the first key is used to encrypt the data, then the second key in the pair is used to decrypt the data. And vise-verse, if the second key is used to encrypt, then the first key is used to decrypt.

Since then, things have evolved around new algorithms and potential applications. With our current trend toward more data-centric security needs, we’re seeing the application of digital signatures being used to protect the integrity and authenticity of more of our data.

For instance, today, emails can be digitally signed. By protecting your email, you can be assured that the email has not been altered in transit, and that it is from someone you trust. This is an excellent way to fight phishing and malicious spam.

Documents, like the federal budget, are digitally signed by the Government Publishing Office. Or, transcripts are digitally signed by the University of Chicago and Stanford University. While these are documents that certainly benefit from digital signatures, in the future, most of our documents can also benefit from automated integrity and authenticity checking, especially as we move more thoroughly from paper to digital.

But, in the future, with the prevalence of the Internet of Things (IoT), digital signatures will play a key role in the machine-to-machine interface. The modification of data traveling between machines poses a real threat to physical systems. Altering the data traveling between self-driving cars, medical sensors/devices, or even robots, can potentially lead to catastrophic events. While keeping data confidential seems to garner most of the media attention these days, authenticity and integrity, and subsequently digital signatures will surely play a key role in the future of cybersecurity.