How does the qualified digital signature work?

The digital signature is the unforgeable equivalent of the handwritten signature. Provided that the digitally generated signatures also comply with the regulations prescribed in the eIDAS Regulation. Then the digital signature is not only forgery-proof, but also 100% legally valid.

For many people, however, the topic still raises questions and uncertainty. Is my signature secure? Can my signature be forged? How can I make sure that the right person has signed?

In order to be able to answer these and other questions, we will deal in this article with how a document can be validly digitally signed and what is necessary for this.

How to digitally sign an electronic document securely

Clarification of terms:

• Digital signatures are used to approve and validate documents in electronic form. They use complex cryptographic mechanisms to authenticate digital documents and messages, confirm the identity of signers, and protect data from tampering and corruption during transmission.

Digital signatures are equipped with back-end tools to ensure that only an authorized person can sign a document and to prevent changes after signing.

A digital signature is created with a unique digital identifier called a "digital certificate" or "public key certificate." Digital certificates are issued by accredited certification authorities (CA) after verifying the identity of the applicant.

• A certification authority (CA) is an institution that is authorized to issue digital certificates. It acts as a trusted third party (TTP) that verifies the identity of the holder of a certificate. A certification authority also certifies the possession of a public key.

• A digital certificate is an electronic passport that identifies the participant in a PKI-secured conversation and enables individuals and institutions to exchange data securely online. Data is encrypted and decrypted using a pair of public and private keys.

• A public key is a unique numeric identifier used to encrypt data or verify digital signatures. It is issued by a certification authority to a person or organization and is publicly available to anyone who needs it.

• A private key is known only to its owner. It is used to decrypt data created with the corresponding public key or to generate digital signatures.

Digital signatures and digital certificates are closely linked. Their applications and uses depend on how these systems are implemented and how the respective PKI infrastructure works. A digital certificate is sometimes called a digital signature certificate because it confirms the public key (authenticity) of the signing entity.

Why do I need a digital signature and certificate?

Let's start with a simple example. Alice and Bob want to communicate together or sign a document.

Scenario 1: Initial example

Alice has two digital cryptographic keys - a public key (PA) and a private/secret key (SA). The public key may be passed on. The private key, however, must be kept secret and secure by Alice.

Alice creates a digital certificate that contains her public key and her e-mail address. She sends this certificate to Bob to share her public key with Bob.

Alice can now sign a document with her Private Key and send it to Bob. Bob can then verify that Alice's Public Key matches the signature made with Alice's Private Key.

Private and Public Key are therefore two sides of the same coin. Anything signed with a private key can be verified with the matching public key.

This now ensures that only Alice can make a signature with her Private Key.

However, another security measure has to be introduced to ensure that the link between Alice's public key and her user ID (e.g. e-mail address) is actually checked.

Scenario 2: What can happen if the certificate is not checked?

This time Mallory wants to pretend to be Alice and communicate with Bob. Mallory has neither Alice's nor Bob's private key. However, he has his own private-public key pair.

Mallory wants to convince Bob that his private key belongs to Alice. To do this, he builds himself a certificate from his public key and Alice's e-mail and sends it to Bob. Bob thinks he has received the public key from Alice.

Now Mallory can sign documents with his private key and send them to Bob. Bob can check the signature again with the public key and which ones match again. Bob is now convinced that Alice signed the message. But in reality it was Mallory.

The problem here is that Mallory has the chance to create a link between his public key and Alice's user ID.

However, we want to prevent that and for that we need a third party.

Scenario 3: How to do it right?

Trent is a trusted third party that ensures that the link between Alice's public key and her user ID is verified. Trent verifies Alice's identity, e.g., using ID verification with Video Ident, and authenticates the digital certificate.

Alice can now sign messages and Bob can be sure that the message is really from Alice. In this way, we manage to produce forgery-proof digital signatures!

So two things are important here:

1. First, Alice's identity must be established and her UserID must be associated with a public key. Alice always keeps the private key in safe custody. Either herself or through a secure third-party provider like sproof.
2. Second, when a signature is made, the identity of the signer must be verified, for example by a push message on your cell phone.

In this way, we manage to produce digital, qualified signatures that are at least as secure as analog signatures.

Technically, each digital signature created for a specific document is unique and therefore extremely difficult to forge. The ability of digital signatures to ensure the integrity and authenticity of electronic documents while indicating the signer's approval enables businesses, contractors and customers to interact online and share information securely.