Securing Documents with Digital Signatures Part 2

In the first part about digital signatures, we looked at the different types of signatures and clarified to what extent a document with a digital signature is legally valid. This second part deals with the underlying encryption technology.

In connection with digital signatures, people often speak of so-called "key technology". This PKI technology (Public Key Infrastructure) has clear requirements: a digital certificate from a certification authority (CA) as well as suitable software and tools for attaching and managing certificates. In Germany, the Bundesnetzagentur is responsible for certification service providers.

The technical basis is the principle of cryptography. It works with encrypted checksums, or hash values, that can be assigned clearly, similar to a digital fingerprint. Hash values ensure data integrity and protect against manipulation.

What is a cryptographic hash function?​

Cryptographic hash functions play a central role in authentication procedures such as digital signatures.

In this process, a fixed-length string is generated from data sets of any length. This hash value is often referred to as a "digital fingerprint".

A distinction is made between keyless and key-dependent hash functions:

• Keyless hash functions work with a single input value, for example OWHF (One-Way Hash Function) or CRHF (Collision Resistant Hash Function).
• Key-dependent hash functions require a secret key as a second input value, for example Message Authentication Codes (MAC), HMAC, CBC-MAC or UMAC.

Not every hash value automatically fulfills the requirements of a cryptographic hash function. Important properties include:

• Determinism: identical input always produces the same hash value.
• One-way property: the original input must not be reconstructible from the hash value.
• Collision resistance: different inputs should not produce the same hash value.

What are the minimum requirements for cryptographic algorithms and for the generation of qualified electronic signatures?​

The Federal Network Agency publishes the relevant minimum requirements for electronic signatures. RSA, DSA and DSA variants based on elliptic curves, such as EC-DSA, EC-KDSA and EC-GDSA, are considered suitable digital signature procedures. The requirements cover minimum key lengths, parameters and the hash function used.

Encryption technology for digital signatures​

1. The documents to be protected are first represented in the form of a hash value. This process is not reversible.

2. That hash value is then encrypted and transmitted together with the document. This constitutes the electronic signature. A key pair is used for this purpose, consisting of a private key and a public key. A mathematical algorithm acts like a cipher and generates the encrypted data that forms the digital signature, usually together with a timestamp.

3. The public key is assigned to a person by means of an electronic certificate. The identity of the signer can then be verified via the public directory of a certification provider. This is a prerequisite for PKI. When a recipient receives a digitally signed document, three components are involved: the document, the signature and the certificate. The recipient can use the public key to recalculate the hash value. If the result matches the transmitted signature, this confirms that the sender and the content are trustworthy.

More information on generating digital signatures​

More detailed information about signature application and signature generation is available from the BSI (Federal Office for Information Security in Germany).

Note: In our third part about digital signatures, we explain how to create a digital signature with webPDF.