How do digital signatures work?

M.Sc. Chris Wojzechowski

How do digital signatures work?

If you want to sign something in the analog world, you can simply take a pen and put your signature under the corresponding document. In the digital space, digital signatures exist for this purpose, but they can do much more than merely exist and be recognized as a legally valid signature as an electronic signature.

Why do I need a digital signature?

A digital signature ensures the integrity of a message and the unambiguous traceability to the originator of the message. Integrity here means that a message has not been modified in transit and still has the same content that it had at the time of the digital signature.

Digital signatures can be used for documents, but also for entire archives and large amounts of data. If you digitally sign these files in this way, the recipient can check whether the file has been modified in transit and whether the sender is actually the one who digitally signed the file.

How digital signatures work

A digital signature is based on asymmetric cryptography. For a classical encryption two keys are needed, one for encryption and one for decryption. If these two keys are identical, it is called a symmetric cryptography method. For asymmetric procedures, however, two keys are used for this purpose, one of which is published. The other is to be kept secret.

With a digital signature, the person who wants to sign something generates such a key pair. The key for signature generation must be kept secret, it is the private secret of that person. With the other key this signature can be verified, it is published. A recipient now receives the message and the associated signature. Using the sender’s public key, he can now check whether the signature is valid. If it is valid, he can thus be sure that the message has not been modified in transit.

Digital signatures and large file sizes

For current signatures, for example, the RSA algorithm is used. Since digital signatures are based on asymmetric cryptography, they are quite complex and slow to compute. RSA is about 100 times slower compared to AES, a symmetric encryption algorithm. Especially when large amounts of data are signed, an acceptable limit is quickly exceeded.

The problem is solved by not signing every bit of a large file. Rather, a hash value of this file is calculated beforehand. We have described how a hashing algorithm works in this article. Depending on the algorithm, hash values with lengths of 128 to 512 bits are generated. An enormous reduction in size. If you imagine you want to sign a 1 MB file, you would have to sign and process 8388608 bits if you take all bits into account. So instead of signing the 1 MB file, you calculate the much shorter hash value of this file and sign the hash value yourself. If the file were to change in transit, a recalculation of the hash value would result in a different value. The recipient can thus check on receipt whether the file still generates the same hash value and whether this hash value corresponds to the signed one. If the digital signature is valid, an enormous amount of computing power could be saved by using hash values.

Conclusion

Digital signatures are an effective way to ensure the integrity and authenticity of messages. However, as the computing power of computers is constantly increasing, the algorithms used for signature procedures must be constantly adapted. The Federal Network Agency issues requirements for the algorithms for this purpose; the announcement can be found in the Federal Gazette. If these requirements are met, digital signatures are clearly superior to analog signatures because they are more forgery-proof and can ensure the integrity of the signed message.

Photo of author

M.Sc. Chris Wojzechowski

My name is Chris Wojzechowski and I studied my Master in Internet Security in Gelsenkirchen a few years ago. I am one of two managing directors of AWARE7 GmbH and a trained IT Risk Manager, IT-Grundschutz practitioner (TÜV) and possess the test procedure competence for § 8a BSIG. Our bread and butter business is performing penetration testing. We are also committed to promoting a broad understanding of IT security in Europe, which is why we offer the majority of our products free of charge.