What Are Digital Signatures and How Do They Work?

Published Date: 8 July 2019 | 11 min read

From an ink pen to digital signature

For centuries, a signature could reveal a great deal about a person. Who, as a child, didn't spend hours practicing the italic style signature and writing the perfect curve that would define adulthood? The classic ink pen signature has historically been the means of doing business and binding ourselves to something. For a long time, it was the only method considered globally valid. However, this long-lasting attachment has been gradually abandoned since the emergence and adoption of digital signatures.

 

What are digital signatures?

Digital signatures, also known as advanced e-signatures, represent a type of electronic signatures that are more trustworthy and secure. To be considered valid, a digital signature must meet the following requirements:

It must be uniquely linked to the signer.

It must be capable of identifying the signer.

The signer needs to have sole control of the data used to create the signature.

It must be linked to the data signed so that any subsequent change in the data is detectable.

 

Are digital signatures legal in my country?

Digital signatures are legal and enforceable in nearly all developed countries and actively used in Europe. A digital signature is as legally binding and valid as a traditional signature placed with ink on paper. On top of that, it's also much safer thanks to its auditable characteristics.

Digital signatures

How long are digital signatures valid?

Digital signatures created with Penneo are valid for several years after signing.

Our digital signatures meet PAdES standards and enable Long Term Validation (LTV). LTV is the ability of a signed document to stay valid for many years — even decades — after signing.

Penneo saves the proof of validity as an attachment in the signed PDF document. You can always verify the validity of digital signatures by using the Penneo Validator.

Even if the platform used to create the document becomes inaccessible, the validity of the documents signed with Penneo can still be verified.

 

What are the differences between digital signatures and electronic signatures?

For years, people have been using the term electronic signatures to refer to all digital signing methods - including digital signatures. However, digital signatures are different from electronic signatures - and one shouldn't use them interchangeably.

Electronic signatures need to meet specific requirements set forth under the eIDAS regulation to qualify as digital signatures. A digital signature is an electronic signature that ensures the signer's identity and the integrity of the message.

In conclusion, all digital signatures are electronic signatures, but the opposite is not true.

 

Electronic vs Digital Signatures
Electronic Signatures Digital Signatures
Signer’s identity Either not verified or checked via channels that do not ensure the signer's identity (email or text). Certificate-based eIDs that ensure the signer's identity by verifying their SSN, VATIN, etc.
Content integrity It depends on the provider and the level of safety of their product. Some products incorporate electronic signatures into the document, but very few of them are tamper-proof. Each signature is bound to the document using encryption so that no alteration is possible to the signatures or the signed content. If someone tries to alter the content after signing, the software will immediately detect the changes.
Legal validity They don't always have the same legal validity as traditional signatures. They are the safest type of e-signatures. As a result, they have the same legal standing as manual signatures in every situation.

 

How do digital signatures work?

The lifecycle of digital signatures created with Penneo consists of a two-phase process:

Creation by the signer with their private key

Verification by the recipient with the signer’s public key

The process involves three cryptographic algorithms:

 

1. The key generating algorithm

This algorithm creates a private key and a corresponding public key for both the sender and the signer. The keys consist of random numbers and letters.

Both parties need to keep their private keys secret. However, they are free to share their public keys with others.

The signer uses their private key to sign the documents digitally. The signer is the only person who has access to their private key, so we can be sure that they are the ones who signed the document.

Next, the signed documents get back to the initial sender. The sender needs to use the signer's public key to verify the authenticity of the signature.

 

2. The signing algorithm

This algorithm produces the digital signature from the message and private key. A digital signature is a combination of the signed document and the author’s private key.

Any variation in the content of the document or in the private key used to sign it will create a different algorithm (a different digital signature).

 

3. The signature verifying algorithm

This algorithm confirms the authenticity of the message.

The process is completely performed by Penneo, and can be summarized as follows:

The content of the document is processed by means of a hashing algorithm to create a unique sequence of numbers and letters representing the document. The signer’s private key is applied to this digest result to sign it on his behalf. The final output is the digital signature of the document.

The digitally signed document is sent to the recipient who will need the sender’s public key to verify its legitimacy. The recipient applies the sender’s public key to decrypt the digital signature and get the digest which is then compared with the hash value attached to the document. If the result is identical, it will verify that the signer’s private key was used to sign and that the document has not been altered.

 

How are digital signatures created and verified?

To better understand how the process works, let’s suppose that John wants to sign a document and send it to Mary.

 

How is a digital signature created?

John creates an electronic document in Penneo.

Penneo processes its content through a hashing algorithm. This algorithm creates a unique sequence of numbers and letters (the digest of the document).

Penneo applies John’s private key to the digest result to sign it on his behalf.

The encrypted digest is the document's digital signature. The calculation of the hash result and application of the private key through the signing algorithm is a single process conducted automatically by Penneo's software. The same applies when verifying the digital signature.

John sends the digitally signed document to Mary, the recipient, via Penneo. If John wants to ensure the confidentiality of the document and encrypt it, he checks the box The case file contains sensitive information. By doing so, Penneo encrypts the message with Mary's public key, so that she must use her e-ID to open the link with the document.

 

Digital signature creation

 

How is a digital signature verified?

Mary receives the digitally signed document via Penneo.

If the signer wanted the document to be confidential, she would have to use her private key (that is her digital ID) to decrypt it and gain access.

When Mary receives the document, she can verify the signer's identity and the integrity of the file content via Penneo's Validator. To do so, she can upload the PDF in the Validator, and Penneo will reverse the above-described creation process to verify the legitimacy of the signature and message.

Penneo applies John’s public key to decrypt the digital signature and get the digest.

The digital signature verification consists of the regeneration of the hash value based on the same document and the same algorithm. This hash value is computed with the public key to produce a checksum, which is compared with the signature attached to the document.

If the result is identical, it will verify that the signer’s private key was used to sign and that the document has not been altered.

If Penneo cannot decrypt the digital signature, it's because it did not come from John as only John’s public key can decrypt the digests generated with his private key. If the signature is untampered, the digests should be exactly the same.

Once Penneo gets the digest, the integrity of the document can be checked. The document is processed through the same hashing algorithm used previously for the creation of the signature, and it results in a digest.

Finally, Penneo will have two digests, one based on the digital signature and the other one based on the content of the document. If the document is untampered, the digest should also be exactly the same. If both digests match, Mary can be confident that John is actually the author and that the document has not changed since he signed it. Hence, the content and the digital signature are verified.

If the digests are not equal, this will generate an error message and Mary will know the document has been altered in transit.

The same message will never produce two different hash results, just as two different messages will never produce the same hash result. This means that if the message had been tampered with by its signature, the hash result calculated by the recipient would not match the hash result calculated and sent by the sender. This is how digital signatures are the safest way to protect data and ensure immutability.

 

Penneo signature verification

 

What are the advantages of digital signatures?

If you are still hesitant about switching from hand-signatures to digital signatures, here are a few advantages to change your mind:

 

Digital signatures provide a higher level of reliability and security

Digital signatures are the safest type of signatures since they are virtually impossible to defraud. On the other hand, handwritten signatures can be easily defrauded, changes may be made to the content of the document, and contractual parties can deny having signed it.

A digital signature can protect the document in a safer way than its traditional counterpart from a triple perspective:

The identification of the signatories

The integrity of the document's content

The impossibility to repudiate both the signature and the document

In paper-based processes, you can only have uncontested certainty of these three main features by hiring a notary. Digital signatures ensure both the identity of the signers and the integrity of the documents, as well as the impossibility to deny the signature; therefore, they can be compared to notarized signatures. Moreover, digital signatures ensure all data transfers are end-to-end encrypted.

 

Digital signatures ensure a better customer experience

The rise of digital customers has been the major driver of digital transformation. Digital solutions make it easier to meet customers' needs and provide a better experience. Therefore, they grant more business opportunities.

From common citizens to enterprises, nobody can deny the importance of digital signatures to protect their documents. More and more companies are adopting digital signatures and recognizing their huge benefits. Implementing new technologies improves synergies by streamlining workflows, reducing costs, and increasing profits.

Adaptation to this new environment must be recognized as a necessary way to avoid being left behind. The adaptation to modern business is also an advantageous investment to fully appreciate the potentiality of the global digital market. The improvement of efficiency goes hand in hand with the adoption of digital tools.

In this context, digital signatures provide even further reliability in terms of security and data protection. Furthermore, they enable your company to enjoy lots of benefits, such as automating and streamlining workflows.

Traditional signature vs digital signature

 

Digital signatures reduce the use of paper, thus saving time and money

In today’s fast-paced market, every minute counts.

Paper, ink, stationery, and printing tools are just some of the most evident costs associated with paper-based processes. These costs can easily be eliminated by digitizing manual processes.

Moreover, digital solutions help you save the most important resource: time.

In a paper-based process, a person first needs to come into possession of the document by receiving a mail or printing an email. Then they would physically sign the document and send it to its originator or to the other parties who need to sign it. The latter would need to follow the same steps once again and then return the document to the person who started the process, who will need to verify the validity of the document and the signatures.

Delivery delays could occur, signatures could be forged, or the enclosed documents may be altered. What’s more, the issues increase as multiple signatures are required from different people who may be located in different locations. In that case, the sender would need to mail the signed document to the other parties once he collected all the signatures. This entire process is cumbersome and time-consuming.

Digital signatures represent a cost-effective tool to simplify your processes and reduce turnaround times.

Documents can now be easily signed by partners and customers around the world at any time and from every device. It only takes a few minutes. You only need an internet connection to digitally sign a document or collect signatures remotely.

With digital signatures, delays are minimized since there is no need to wait for mailing documents back and forth by post. The automated process of digital signing streamlines workflows by eliminating many sequential steps.

 

How do I send a digital signature request via Penneo?

It's easy to send out documents for digital signature with Penneo. Follow these simple steps and your documents will be signed in no time!

1. Log in to your Penneo account: You can choose to log in via digital ID or by typing in your username and password.
2. Select "Create new case file"
3. Fill in the document details: Type in the document name, select your preferred automated signing flow, and enable additional security measures.
4. Upload the document: You can upload both documents and attachments here. With Penneo, you can digitally sign PDFs by uploading PDF files here.
5. Add recipients: Fill in the details of the people who need to sign the document. On top of that, you can select additional security options during this step.
6. Review and send: Preview your documents and make sure all the details are correct. You can then send out the documents for signing with the touch of a button.

Do you need more information on how to create a digital signature request with Penneo? Check out our video tutorial on how to send out documents for signing with Penneo.

 

How do I digitally sign with Penneo?

It's easy to digitally sign documents with Penneo. Follow these simple steps and sign documents in a matter of minutes!

1. Open the email from Penneo: After opening the email, just click on "Click here to read your documents".
2. Validate your identity: Select the digital ID you wish to use and log in with it to confirm your identity.
3. Read all the documents and attachments
4. After going through all the documents, click on "Go to signing"
5. Sign the document using your digital ID (eID)

Do you need more information on how to digitally sign a document with Penneo? Check out our support article on how to digitally sign with Penneo.

 

How much does a digital signature software cost?

Penneo's digital signature solution prices start from € 129/month.

However, we don't believe in the one-size-fits-all approach. When it comes to digital signatures, you should only pay for what you need. Therefore, we provide a wide range of plans and packages - just choose the one that best fits your needs.

 

Why choose Penneo’s digital signature software?

Our digital signatures can be used as proof of trustworthiness in terms of authenticity, data integrity, and non-repudiation, which are the three core security services for the validity of an e-signature. But how do we achieve this level of security?

Signer authentication: to be 100% sure about who is actually the author of the e-signature, Penneo uniquely identifies signers by using certificate-based Digital IDs issued by TSPs or Certificate Authorities (CAs); a unique PID (Personal Identifier) is also printed on the document so that the signer’s certificate is cryptographically bound to it.

Content integrity: to prevent tampering, once the digital signature has been submitted the entire package is signed by Penneo that acts as a kind of notary and prints a unique watermark ID on the document; every step is captured in a secured audit trail that makes it extremely easy to verify if the document has been altered in transit.

Non-repudiation: to document intent and consent, digital signatures can only be applied through Penneo’s signature platform, where the user must accept a declaration of consent before signing; this statement contains an overview of the documents and is stored as a part of the signature itself; additionally, each digital signature is time-stamped so that the trusted time of generation can be identified and used as non-repudiation evidence.

But the list cannot end here. Because it’s equally important the attention we pay to encryption and data protection to safeguard the privacy of your confidential information. Not to mention all the capabilities and features you can rely on to easily customize, integrate, and automate your signing flows.

Companies around the globe are thriving in this fast-growing marketplace. Invest in digital solutions to get the most out of this ongoing advancement. You’ll save money and boost your security while giving your business a competitive edge. What are you waiting for?

 

Sign up for a free trial of Penneo now!