This blog was written by an independent guest blogger.
Digital signatures have been around for decades, but recent events have put them back in the spotlight. They were heralded as the future of cybersecurity as far back as 1999, but in the intervening years came to be somewhat taken for granted by security engineers. Not any longer: the massive move to home working precipitated by the Covid-19 pandemic have forced many to take a fresh look at the security value of digital signatures, why they matter, and their relationship to encryption.
We thought we'd do the same. In this article, we'll give you a refresher course on how digital signatures work, why they are important for security, and what the future holds.
How do digital signatures work?
Digital signatures, at the most fundamental level, are mathematical algorithms used to validate the authenticity and integrity of an electronic message. This "message" could be an email, a credit card transaction, or a digital document. Digital signatures create a virtual "fingerprint" that is completely unique to a person (or other entity), and can therefore be used not just to protect the contents of messages, but also to ensure that they were written by who they claim to have been.
At a deeper level, digital signatures work by applying a hash function to a message. In most cases, a user's private key will be used to create a "hash," which is a fixed-length string of numbers and letters. The way in which hash functions work means that this string is totally unique to the message being hashed. In addition, hash functions are also one-way functions — a computed hash cannot be reversed to find other files that may generate the same hash value. The most popular hashing algorithms in use today are Secure Hash Algorithm-1 (SHA-1), the Secure Hashing Algorithm-2 family (SHA-2 and SHA-256), and Message Digest 5 (MD5).
The importance of digital signatures
The value of digital signatures has been long recognized, but recent events have meant that they are being deployed at an unprecedented rate. This is because digital signatures afford the ability for users to securely communicate when working remotely – which more than half of US workers did even before the pandemic – without the need for a permanent, sustained encrypted connection.
More specifically, digital signatures allow three factors about a message to be verified:
- Authentication. Because, in most implementations, digital signatures are created using the sender's private encryption key, it is possible to verify the identity of the message source.
- Data Integrity. Because hash functions produce a digital signature by looking at the entirety of a particular message, if any part of the message changes, so does the hash function. This means that if a message is intercepted in transit and changed, the digital certificate verification performed by the recipient fails. This means that the recipient has an easy way to check if data security has been breached.
- Non-repudiation. When working with digital signatures, it is assumed that only the sender has knowledge of their own private key. Because of this, and because the recipient of a message is able to use the digital signature to verify their identity, it is possible for the recipient to use the digital signature as proof (even in a legal sense) that a message was sent.
Because of these three factors, digital signatures have become the gold standard for sending messages that need to be protected, and which need to have their author verified.
Though digital signatures are a powerful tool for ensuring cybersecurity, they do suffer from some disadvantages, and some fear that these may undermine the long-term outlook for the digital signature system.
One of the major disadvantages of digital signatures is their cost. The public key encryption system that is used as part of the digital signing process requires a Certificate Authority (CA) to provide trusted certificates. This often comes at a cost, and one that can climb steeply if an organization needs to use hundreds (or even thousands) of digital signatures.
For this reason, many organizations were in the process of moving away from digital signatures, in favor of real-time encryption protocols and other forms of authentication procedure such as multi-factor authentication. These technologies allow employees to share documents securely, because they are encrypted in transit, but unfortunately tools such as VPNS – often hyped as a catch-all solution to remote working security – don't provide all of the advantages of the digital signature system.
Specifically, this type of real-time encryption cannot authenticate the identity of the creator of a message in the same way that a digital signature can. For this reason, it's likely that the future of digital signatures is going to be a rosy one.
The bottom line
This refresher course on digital signatures might seem a little outdated for cybersecurity pros who have been in the game for decades. The way in which digital signatures work formed part of the standard computer science syllabus for many of us. However, it's important to recognize that newly-trained analysts often overlook the importance and centrality of digital signatures to cybersecurity.
In fact, in many instances organizations can end up spending extra resources putting in place a more complex system, when the standard digital signature will more than cover their level of cyber risk. And so perhaps the pandemic, by focusing our minds on the fundamental importance of digital signatures, will have done us all a favor.