What Are Digital Signatures and How Do They Work? | Penneo

Published Date: 8 July 2019 | 11 min read

From an ink pen to digital signature

For centuries, a signature could reveal a great deal about a person. Who, as a child, didn't spend hours practising the italic style signature and writing the perfect curve that would define adulthood? The classic ink pen signature has historically been the means of doing business and binding ourselves to something. For a long time, it was the only method considered globally valid. However, this long-lasting attachment has been gradually abandoned since the emergence and adoption of digital signatures.

 

What are digital signatures?

Digital signatures, also known as advanced e-signatures, refer to a specific category of electronic signatures that offer more trustworthiness and reliability. For a digital signature to be valid, it must meet the following requirements:

It has to be uniquely linked to the signer.

It has to be capable of identifying the signer.

The signer needs to have sole control of the data used to create the signature.

It has to be linked to the data signed in such a way that any subsequent change in the data is detectable.

In other words, a digital signature will provide certainty on the signer's identity and ensure content integrity. It, therefore, grants the highest level of security. A digital signature is fully enforceable and binding. Thus, it has the same legal standing as a handwritten signature. On top of that, it is also much safer thanks to all its auditable characteristics.

 

What are the differences between electronic signatures and digital signatures?

The generic term electronic signature is used in an all-encompassing sense to embrace all signing methods - including digital signatures. However, electronic signatures and digital signatures are two distinct concepts and cannot be used interchangeably.

Not every data attached to an electronic document and used by the signatory to sign provides the same legal standing as a manuscript signature. To have the same value as a traditional one placed with ink on paper, the e-signature needs to adhere to the requirements of the specific regulation it was created under, so that it can be identified as a digital signature.

The digital signature is the electronic signatures which ensure with most certainty the identity of the signer as well as the integrity of the message.

 

How do digital signatures work?

The following is specific technical information on the functioning of our software for the creation and verification of digital signatures.

The lifecycle of Penneo's digital signatures consists of a two-phase process: the creation by the signer with their private key and the verification by the recipient with the signer’s public key. The process involves three cryptographic algorithms:

1. The key generating algorithm, that randomly selects a private key and its corresponding public key for the parties involved (signer and recipient). The keys are presented in the form of random numbers and letters. The private key of the signer is used to sign the document message digitally and shows that the signature belongs to the private key holder because he is the only one with access to that private key. While the signer’s private key should always remain private and be kept securely, their public key must be shared with the recipient to allow the verification of the authenticity of the signature and integrity of the document. Any person can verify the identity of the author of the signature through the signer’s public key. However, if the signer wants the document to be confidential, they can encrypt the message with the public key of the recipient, so that only the recipient using their private key can decrypt it. Eventually, the message is digitally signed and confidential.

2. The signing algorithm, that produces the digital signature from the message and private key. A digital signature is, indeed, a combination of the signed document and the author’s private key. Any variation in the content of the document or in the private key used to sign it will create a different algorithm, i.e. a different digital signature.

3. The signature verifying algorithm, that uses public-key message and digital signature to confirm the authenticity of the message.

The process is completely performed by Penneo, and can be summarized as follows:

The content of the document is processed by means of a hashing algorithm to create a unique sequence of numbers and letters representing the document. The signer’s private key is applied to this digest result to sign it on his behalf. The final output, the encrypted digest, is the digital signature of the document.

The digitally signed document is sent to the recipient who will need the sender’s public key to verify its legitimacy. The recipient applies the sender’s public key to decrypt the digital signature and get the digest which is then compared with the hash value attached to the document. If the result is identical, it will verify that the signer’s private key was used to sign and that the document has not been altered.

To better understand how the process works, let’s suppose that John wants to sign a document and send it to Mary.

 

How is a digital signature created?

John creates an electronic document in Penneo.

Penneo processes its content through a hashing algorithm (to obtain a compressed digital representation of the data unit that is to be signed). The document's size is reduced utilizing this algorithm that creates a unique sequence of numbers and letters (hash value) often called the “digest” of the document.

Penneo applies John’s private key to the digest result to sign it on his behalf.

The final output, the encrypted digest, is the document's digital signature (that is the combination of the signed document and the author’s private key). The calculation of the hash result and application of the private key through the signing algorithm is a single process conducted automatically by Penneo's software. The same applies when verifying the digital signature.

John sends the digitally signed document to Mary, the recipient, via Penneo. If John wants to ensure the confidentiality of the document and encrypt it, he checks the box The case file contains sensitive information. By doing so, Penneo encrypts the message with the recipient Mary's public key, so that she must use her e-ID to open the link with the document.

Digital signature creation

 

How is a digital signature verified?

Mary receives the digitally signed document via Penneo.

If the signer (John) wanted the document to be confidential, she would have to use her private key (that is her digital ID) to decrypt it and gain access.

When Mary receives the document, she can verify the signer's identity and the integrity of the file content via Penneo's Validator. To do so, she can upload the PDF in the Validator, and Penneo will reverse the above-described creation process to verify the legitimacy of the signature and message.

Penneo applies John’s public key to decrypt the digital signature and get the digest.

The verification consists of the regeneration of the hash value based on the same document and the same algorithm. This hash value is computed with the public key to produce a checksum, which is compared with the checksum/signature attached to the document.

If the result is identical, it will verify that the signer’s private key was used to sign and that the document has not been altered.

If Penneo cannot decrypt the digital signature, it's because it did not come from John as only John’s public key can decrypt the digests generated with his private key. If the signature is untampered, the digests should be exactly the same.

Once Penneo gets the digest, the integrity of the document can be checked. The document is processed through the same hashing algorithm used previously for the creation of the signature, and it results in a digest.

Finally, Penneo will have two digests, one based on the digital signature and the other one based on the content of the document. If the document is untampered, the digest should also be exactly the same. Comparing them, if both digests match, then Mary can be confident that John is actually the author and that the document has not changed since he signed it, so the content and the digital signature are verified.

If the digests are not equal, this will generate an error message and Mary will know the document has been altered in transit.

The same message will never produce two different hash results, just as two different messages will never produce the same hash result. This means that if the message had been tampered with by its signature, the hash result calculated by the recipient would not match the hash result calculated and sent by the sender. This is how digital signatures are the safest way to protect data and ensure immutability.

With this verification, Mary can be confident that John is actually the author (authentication) and that the document has not changed since he signed it (content integrity).

Penneo signature verification

 

What are the advantages of digital signatures?

If you are still hesitant about switching from hand-signatures to digital signatures, here are a few advantages to change your mind:

 

Digital signatures provide a level of reliability and security far higher than those offered by the traditional manuscript ones

Comparing the different signing methods in terms of security, digital signatures are the safest ones and are labelled virtually impossible to defraud. On the other hand, paper documents are very easily alterable: manuscript signatures can be defrauded, changes may be made to the content of the paper document, and contractual parties can deny having signed it.

A digital signature can protect the document in a safer way than its traditional counterpart from a triple perspective:

The identification of the signatories: the authentication of the signers through digital IDs provides certainty on the signers’ identity and enables anyone to verify who is actually the author of the signature. It’s an electronic proof that undisputedly confirms the signatory's identity and links the electronic signature validation data to that person.

The integrity of the document's content: with paper documents, the information being sent can be stolen or altered before the intended recipient has received it. While using a digital signature, if someone tries to change any part of the document, there is proof that this happened. Every step is captured in a secured audit trail and makes it extremely easy to verify if the signed document has been modified since it was signed. If a modification is detected, the document is invalidated.

The impossibility to repudiate both the signature and the document: alongside the signers' identity, it is equally important to ensure their intent of sign. When a digital signature has to be applied to a document, the user has been informed of the consequences of their actions and has had the opportunity to read that document. It’s also worth mentioning that, while signing the document, signers have to accept a statement of declaration and consent, which include an overview of the document itself, as well as the signer’s role. This statement is stored as part of the signature itself and thus serves as further proof of the signature's validity. Furthermore, each newly generated digital signature is time-stamped by a time-stamping authority so that the trusted time of signature generation can be identified and used as non-repudiation evidence.

In paper-based processes, you can only have uncontested certainty of these three main features by availing of the intervention of a notary public. Digital signatures ensure both the identity of the signers and the integrity of the documents, as well as the impossibility to deny the signature; therefore, they can be compared to notarized signatures. Moreover, with digital signatures, all data transfers can be end-to-end encrypted, so you can safely send cases out, even with private information in the documents, being sure that they’re never exposed to the risk of tampering and fraud.

That’s why digital signatures are actually much more reliable and secure than handwritten signatures, and enjoying this higher security doesn’t require higher expenses. On the contrary, this safer tool lets users save time and money.

Who needs further reasons? Shouldn’t that be enough to justify and encourage digital investment? It is, actually. However, something else can be considered in this context and can be the ultimate driver for a digital change. The customers.

 

Digital signatures meet customers' expectations, reap the benefits of digitization, and boost productivity and competitiveness

The rising of the digital customer figure that requires the availability of the services he needs anywhere and anytime at the click of a button, has likely been the major drive for digital-oriented improvement. Digital solutions make it easier to meet customers' needs, provide a better and personalized experience, and, therefore, grant more business opportunities.

From common citizens to enterprises and all the way up through governments, nobody can deny the importance of relying on digital signatures to protect their documents and to ensure trust and confidence with their business practices. An increasing number of companies are undertaking this digital transformation and recognizing the huge benefits it involves. Implementing new technologies improves synergies by streamlining workflows, reducing costs, and increasing profits.

Adaptation to this new environment might seem challenging, but cannot be considered as an option. It must be recognized as a necessary way to avoid the risk of being left behind in a society moving towards digital technology. The adaptation to modern business is also an advantageous investment to fully appreciate the potentiality of the global digital market. The improvement of the efficiency of your company goes hand in hand with the adoption of digital tools.

In this context, digital signatures - legalized and recognized as being of equal value compared to manuscript signatures - provide even further reliability in terms of security and data protection and enable your company to enjoy lots of benefits, such as reducing waste of resources and time, automating and streamlining workflows, ensuring the authenticity of both signatures and documents.

Traditional signature vs digital signature

 

Digital signatures reduce the use of paper, thus saving businesses time and money

In today’s fast-paced market, every minute counts.

What do you need to hand-sign your documents? Paper, ink, stationery, printing-scanning tools, mailing-shipping services are just some of the most evident extraneous costs that can be avoided by conveniently replacing the old-aged processes and embracing digital solutions. What matters even more than these cost savings is the possibility to save the most important and invaluable of the resources: time.

To carry out a paper-based process, a person first needs to come into possession of the document by receiving a mail or printing an email. Then they would physically sign the document and send it to its originator or to the other parties who need to sign it. The latter would need to follow the same steps once again and then return the document to the person who started the process, who will need to verify the validity of the document and the signatures.

Does this process look secure or timely? Among the most frequent risks, delivery delays could occur, signatures could be forged, the enclosed documents may be altered. What’s more, the issues increase as multiple signatures are required from different people who may be located in different locations: the sender would probably need to forward the signed document to the other parties once he collected all the signatures by making physical copies of the document and sending them by physical mail or scanning them to use email. The sole explanation of these steps points out how this offline traditional paper-based process is cumbersome and time/resources-consuming.

On the contrary, digital signatures represent a cost-effective tool to simplify your working day and reduce turnaround times while contributing to the protection of the environment. Using digital signatures means adopting an eco-friendly approach in your company by reducing drastically the amount of paper you need and cutting down on environmental waste.

Contracts and documents can now be easily and quickly signed by partners and customers spread around the world using digital signatures. It only takes some minutes. It doesn’t matter anymore where you are and what time it is. You only need an internet connection to digitally sign a document or collect signatures remotely.

With digital signatures, delays are minimized since there is no need to wait for mailing documents back and forth by post or for receiving signed documents from the other parties. The automated process of digital signing streamlines workflows by eliminating many sequential steps each time a document needs a signature.

But if the benefits from the adoption of digital signatures are so apparent, what is it that stops companies from digitizing their processes?

The truth is that people are traditionally used to deal with paper documents, and the lack of familiarity with electronic solutions may lead them to be afraid of higher risks in digital transactions. However, digital signatures are undoubtedly one step ahead from a security point of view than the aged wet-ink signatures.

 

How do I send out documents for digital signature with Penneo?

It's easy to send out documents for digital signature with Penneo. Follow these simple steps and your documents will be signed in no time!

1. Log in to your Penneo account: You can choose to log in via digital ID or by typing in your username and password.
2. Select "Create new case file"
3. Fill in the document details: Type in the document name, select your preferred automated signing flow, and enable additional security measures.
4. Upload the document: You can upload both documents and attachments here. With Penneo, you can digitally sign PDFs by uploading PDF files here.
5. Add recipients: Fill in the details of the people who need to sign the document. On top of that, you can select additional security options during this step.
6. Review and send: Preview your documents and make sure all the details are correct. You can then send out the documents for signing with the touch of a button.

Do you need more information on how to create a digital signature request with Penneo? Check out our video tutorial on how to send out documents for signing with Penneo.

 

How do I digitally sign with Penneo?

It's easy to digitally sign documents with Penneo. Follow these simple steps and sign documents in a matter of minutes!

1. Open the email from Penneo: After opening the email, just click on "Click here to read your documents".
2. Validate your identity: Select the digital ID you wish to use and log in with it to confirm your identity.
3. Read all the documents and attachments
4. After going through all the documents, click on "Go to signing"
5. Sign the document using your digital ID (eID)

Do you need more information on how to digitally sign a document with Penneo? Check out our support article on how to digitally sign with Penneo.

 

How much does a digital signature solution cost?

Penneo's digital signature solution prices start from € 129/month.

However, we don't believe in theone-size-fits-all approach. When it comes to digital signature, you should only pay for what you need. Therefore, we provide a wide range of plans and packages - just choose the one that best fits your needs.

 

Do you want to try it out before making your decision? Sign up for a free trial of Penneo

 

  • This field is for validation purposes and should be left unchanged.

 

Why choose Penneo’s digital signature solution?

Our digital signatures can be used as proof of trustworthiness in terms of authenticity, data integrity, and non-repudiation, that are the three core security services for the validity of an e-signature. But how do we achieve this level of security?

Signer authentication: to be 100% sure about who is actually the author of the e-signature, Penneo uniquely identifies signers by using certificate-based Digital IDs issued by TSPs or Certificate Authorities (CAs); a unique PID (Personal Identifier) is also printed on the document so that the signer’s certificate is cryptographically bound to it.

Content integrity: to prevent tampering, once the digital signature has been submitted the entire package is signed by Penneo that acts as a kind of notary and prints a unique watermark ID on the document; every step is captured in a secured audit trail that makes it extremely easy to verify if the document has been altered in transit.

Non-repudiation: to document intent and consent, digital signatures can only be applied through Penneo’s signature platform, where the user must accept a declaration of consent before signing; this statement contains an overview of the documents and is stored as a part of the signature itself; additionally, each digital signature is time-stamped so that the trusted time of generation can be identified and used as non-repudiation evidence.

But the list cannot end here. Because it’s equally important the attention we pay to encryption and data protection to safeguard the privacy of your confidential information. Not to mention all the capabilities and features you can rely on to easily customize, integrate, and automate your signing flows.

Companies around the globe are thriving in this fast-growing marketplace. Invest in digital solutions to get the most out of this ongoing advancement. You’ll save money and boost your security while giving your business a competitive edge. What are you waiting for?

 

Sign up for a free trial of Penneo now!

  • This field is for validation purposes and should be left unchanged.