When signing documents electronically, you may want to add an additional layer of security. The most common way to add security to an electronic document is by using a digital signature. A digital signature is simply a way to verify that a document has not been altered or tampered with after it was signed. It provides an additional layer of security to your documents, and we use it every time we sign a document. Digital signatures are one of the many ways to ensure that a document has not been altered or tampered with after it was signed. Several different security provisions are used for digital signatures, and this article will explain which security provision is best for your company.
Security Provisions for Digital Signatures
Secure Hash Algorithm (SHA)
Secure Hash Algorithm (SHA) is a cryptographic hash function that is used to verify message integrity. It’s part of the Digital Signature Algorithm (DSA) approved by NIST in 1991. SHA is widely used in security applications and protocols, such as SSL, TLS, SSH, S/MIME, and IPsec. The most recent version of SHA is SHA-3 or “Keccak,” which was released in 2015.
The first additional security provision is the temporal property. This relates to the time of the creation of the digital signature. Timestamping is used to validate the time of creation. Once a digital signature is created, it will remain valid even if the certificate has expired.
In addition to the hashing algorithm, an encryption algorithm is used. The encryption algorithm is used to encrypt the message digest with the signatory’s private key. The encrypted message digest is called a digital signature. The encryption algorithm is also used to decrypt the digital signature with the signatory’s public key.
The digital signature scheme provides privacy because only known algorithms are employed. Digital signatures are non-forgeable because it is computationally infeasible to generate a valid digital signature without knowing the corresponding private key. Digital signatures are also reliable as they provide verifiability, which means that any recipient can verify their authenticity without the need for special knowledge or secret information (like keys). However, suppose knowledge (or access) to a signatory’s public key has been obtained by an attacker. In that case, signatures made by that party can be forged with little difficulty using off-the-shelf computer hardware and software, so proper security measures must be taken when handling private keys (see our post on how not to lose your bitcoin).
Hash clauses, also known as hash values, are very useful for creating digital signatures. A hash clause is a fixed-length value of a random string of numbers and letters. This value is generated by hashing algorithms, which are essentially functions that can take any data of arbitrary length as input and produce a fixed-length alphanumeric output based on that input. Hash values make it possible to check if the contents of your message have been modified after you’ve encrypted them with your private key—if they have been, the message will no longer be authenticated.
For example, if you’re using SHA-1 to create your hash clause in preparation for digitally signing a message, you’ll generate an alphanumeric string that’s exactly 40 characters long. After encrypting the message with your private key (and this encryption process will also generate another 40-character hash), you can send both the encrypted message and the different hash code to their destination securely—even if an intruder manages to get their hands on them during transmission and modify something in the unencrypted version of your original message, they won’t be able to replace or delete this authentication label without altering its subsequent hash value during decryption. Thus when the receiver decrypts your original encrypted content–which now contains an altered version of itself–they’ll immediately notice that there’s something wrong with its attached authentication label because its associated decrypted hash won’t match up with what was originally sent over.
In a hash chain, each item is the hash of the previous one. This is the most common way to implement a basic digital signature. The primary usage of a hash chain is to protect against data modification within it. If an intruder tampers with any data in one part of the document, subsequent hashes will also be affected. When this occurs, even if all signatures are valid, every additional hash after that will be invalidated and cannot authenticate anything past that point.
Because of its ability to verify data integrity and non-repudiation, a hash chain can prove that someone (or something) has seen or authorized specific information during its lifespan. The hash chain itself can serve as an accurate record for tracing back who has had access to the original document or file and if it was modified during the process.
Counter Signatures are used to add more security to any document. While creating Digital signatures, Counter Signatures can be used to secure the document by signing it from different people. Counter Signatures are signed on the signed document by different people. In a way, this is also considered a signature, but when multiple signatures are applied, they are named as Counter Signatures. This type of signature is used to represent the authenticity of the document. It is used for application authentication in organizations that require more than one person’s approval for authorizing any processor for approving any documents.
Predefined Signing Attribute Certificate (PSAC)
A Predefined Signing Attribute Certificate (PSAC) is a certificate containing a public key and signing attributes. PSACs are issued by a third party and used by a signer to create an advanced signature. A PSAC can be used as an alternative to using a Signing Attribute Certificate (SAC) and prevents the need for authentication of the signer during the creation of an advanced signature.
Substitutionary Signing Procedure
Substitutionary Signing (SS) is a process whereby the signer of a document may delegate the signing authority to another individual by signing in their place. This signed document can then be used as legal evidence that the delegator of authority has authorized the signee to act for them in a specific context. The delegator is not required to be present when the SS is executed, nor does he need to provide any further identification or proof of identity than his signature on the document itself (though if he wishes, it is possible for him to do so).
The SS procedure was developed specifically for use in online environments and other situations where it would be inconvenient or impossible for the delegator to be physically present when the SS is executed. It allows delegated signatories to act with complete confidence that they are legally authorized to do so and provides them with proof of this fact.
Signature Policy Identifier (SPID)
The Signature Policy Identifier (SPID) is used to specify which signature policy will be used to validate the signature. A signature policy is a set of rules that are used to determine if a digital signature is valid or invalid. Let’s say you were going on a road trip and only wanted to know the rules of the highway in Texas, and because Texas has different speed limit rules than most states, you’d like to know that specifically. In this example, Texas is the SPID that tells you what kind of information you want and where you’re getting it from. The SPID can either be an object identifier or a URL pointing at a document with the actual signature policy rules.
Sequential Hash Clauses (SHC)
The sequential hash clauses (SHC) technique allows multiple signers to sign a document with a single signature. Each signer sequentially signs the document, resulting in a hash of the document and the previous signers’ signatures. The last one will verify the complete chain of signatures.