Digital Signature Tutorial

The authentication of computer-based business information interrelates both technology and the law, and calls for cooperation between people of different professional backgrounds and areas of expertise. Each field of expertise brings to the topic of authentication a different repertoire of concepts. Often the concepts from the information security field correspond only loosely to concepts from the legal field, even though both fields apply the same term to their differing concepts.

This interdisciplinary contrast exists even for basic, central concepts such as "authentication" or "digital signature". From a technical point of view, "digital signature" means the result of applying to specific information the technical processes described below. From a legal point of view, handwriting one's name on paper has been the principal means of signature for centuries. In addition, the legal concept of signature recognizes, in many cases, not only a handwritten name but any mark made with the intention of authenticating the marked document.fn.1 In an electronic setting, today's broad legal concept of "signature" may well include markings such as digitized images of paper signatures, typed notations such as "s/John Smith", or even addressing notations such as letterheads, electronic mail origination headers, and the like. From an information security viewpoint, these simple electronic signatures are entirely different from the "digital signatures" described in this tutorial and in technical documents, although "digital signature" is sometimes used colloquially or in some legal writing to mean another or any form of computer-based signature. To avoid confusion, this publication uses "digital signature" only in the sense in which the term is used in information security terminology, as meaning the result of applying the technical processes described in this tutorial.

The differences between digital signatures and other electronic signatures are significant, not only in terms of process and result, but also because those differences make digital signatures more serviceable for legal purposes. However, some electronic signatures, though perhaps legally recognizable as signatures, may not be as secure as digital signatures, and may lead to uncertainty and disputes.

To understand why digital signatures serve well in legal applications, this tutorial begins with an overview of the significance of signatures in legal transactions. It then explains digital signature technology in simple terms, and examines how, with some legal and institutional infrastructure, digital signature technology can be applied as a computer-based alternative to traditional signatures.

Signatures and the Law

A signature is not part of the substance of a transaction, but rather of its representation or form. Parties often represent their transactions in signed writings. Signing writings and other formalistic legal processes or customs serve the following general purposes: fn.2

Although achieving these purposes is salutary, legal systems vary, both among themselves and over time, in the degree to which a particular form, including one or more signatures, is required for a legal transaction. If a particular form is required, legal systems also vary in prescribing consequences for failure to cast the transaction in the required form. The statute of frauds of the common law tradition, for example, requires a signature, but does not render a transaction invalid for lack of one. Rather, it makes it unenforceable in court, fn.9 and the persistent notion that the underlying transaction remained valid led case law to greatly limit the practical application of the statute.

In general, the trend in most legal systems for at least this century has been toward reducing formal requirements in law, fn.10 or toward minimizing the consequences of failure to satisfy formal requirements. Nevertheless, sound practice remains to formalize a transaction in a manner that best assures the parties of its validity and enforceability. fn.11 In current practice, that formalization usually entails documenting the transaction and signing or authenticating the documentation.

However, the centuries-old means of documenting transactions and creating signatures are changing fundamentally. Documents continue to be written on paper, but sometimes merely to satisfy the need for a legally recognized form. In many instances, the information exchanged to effect a transaction never takes paper form. It also no longer moves as paper does; it is not physically carried from place to place but rather streams along digital conduits at a speed impossible for paper. The computer-based information is also utilized differently than its paper counterpart. Paper documents can be read efficiently only by human eyes, but computers can also read digital information and take programmable actions based on the information.

The law has only begun to adapt to the new technological forms. The basic nature of the transaction has not changed; however, the transaction's form, the means by which it is represented and effected, is changing. Formal requirements in law need to be updated accordingly. The legal and business communities need to develop and adopt rules and practices which recognize in the new, computer-based technology the effects achieved or desired from the paper forms.

To achieve the basic purposes of signatures outlined above, the following effects are needed: fn.12

The concepts of signer authentication and document authentication comprise what is often called "nonrepudiation service" in technical documents. The nonrepudiation service of information security "provides proof of the origin or delivery of data in order to protect the sender against false denial by the recipient that the data has been received, or to protect the recipient against false denial by the sender that the data has been sent." fn.15 In other words, a nonrepudiation service provides evidence fn.16 to prevent a person from unilaterally modifying or terminating her legal obligations arising out of a transaction effected by computer-based means.

Digital signature technology generally surpasses paper technology in yielding these desired effects. fn.17 To understand why, one must first understand how digital signature technology works.

How Digital Signature Technology Works

Digital signatures are created and verified by means of cryptography, the branch of applied mathematics that concerns itself with transforming messages into seemingly unintelligible forms and back again. For digital signatures, two different keys are generally used, one for creating a digital signature or transforming data into a seemingly unintelligible form, and another key for verifying a digital signature or returning the message to its original form. fn.18 Computer equipment and software utilizing two such keys is often termed an "asymmetric cryptosystem".

The keys of an asymmetric cryptosystem for digital signatures are termed the private key, which is known only to the signer fn.19 and used to create the digital signature, and the public key, which is ordinarily more widely known and is used to verify the digital signature. A recipient must have the corresponding public key in order to verify that a digital signature is the signer's. If many people need to verify the signer's digital signatures, the public key must be distributed to all of them, perhaps by publication in an on-line repository or directory where they can easily obtain it.

Although the keys fn.20 of the pair are mathematically related, it is XE "Computational infeasibility:deriving private key from public"computationally infeasible fn.21 to derive one key from the other, if the asymmetric cryptosystem has been designed and implemented securely for digital signatures. fn.22 Although many people will know the public key of a given signer and use it to verify that signer's signatures, they cannot discover that signer's private key and use it to forge digital signatures.

Use of digital signatures is comprised of two processes, one performed by the signer and the other by the receiver of the digital signature:

A more fundamental process, termed a "hash function" fn.24 in computer jargon, is used in both creating and verifying a digital signature. A hash function creates in effect a digital freeze frame of the message, a code usually much smaller than the message but nevertheless unique to it. fn.25 If the message changes, the hash result of the message will invariably fn.26 be different. Hash functions enable the software for creating digital signatures to operate on smaller and predictable amounts of data, while still providing a strong evidentiary correlation to the original message content.

As illustrated in figure 1, to sign a document or any other item of information, the signer first delimits precisely what is to be signed. The delimited information to be signed is termed the "message" in the ABA Guidelines and Utah Act. Then a hash function in the signer's software computes a hash result, a code unique to the message. The signer's software then transforms the hash result into a digital signature by reference to the signer's private key. This transformation is sometimes described as "encryption". The resulting digital signature is thus unique to both the message and the private key used to create it.

Typically, a digital signature is attached to its message and stored or transmitted with its message. However, it may also be sent or stored as a separate data element, so long as it maintains a reliable association with its message. Since a digital signature is unique to its message, it is useless if wholly dissociated from its message.

Verification of a digital signature, as illustrated in Figure 2, is accomplished by computing a new hash result of the original message by means of the same hash function used in creating the digital signature. Then, using the public key, the verifier checks whether the digital signature was created using the corresponding private key, and whether the newly computed hash result matches the hash result derived from the digital signature. If the signer's private key was used and the hash results are identical, then the digital signature is verified. Verification thus indicates (1) that the digital signature was created using the signer's private key, because only the signer's public key will verify a digital signature created with the signer's private key, fn.27 and (2) that the message was not altered since it was signed, because the hash result computed in verification matches the hash result from the digital signature, which was computed when the message was digitally signed.

Various asymmetric cryptosystems create and verify digital signatures using different mathematical formulas and procedures, but all share this overall operational pattern.

The processes of creating a digital signature and verifying it accomplish the essential effects desired of a signature:

The core of the programs used for digital signatures have undergone thorough peer review, and an extensive scientific and technical literature underlies them. Digital signatures have been accepted in several national and international standards developed in cooperation with and accepted by many corporations, banks, and government agencies. The likelihood of malfunction or a security problem in a digital signature cryptosystem designed and implemented as prescribed in the industry standards is extremely remote, and far less than the risk of undetected forgery or alteration on paper or of using other less secure electronic signature techniques.

Public Key Certificates

To verify a digital signature, the verifier must obtain a public key and have assurance that that public key corresponds to the signer's private key. However, a public and private key pair has no intrinsic association with any person; it is simply a pair of numbers. The association between a particular person and key pair must be made by people using the fact-finding capabilities of their senses.

In a transaction involving two parties, for example, the parties could bilaterally identify each other with the key pair each party will use, but making such an identification is no small task, especially when the parties are geographically distant from each other, communicate over an open, insecure information network, are not natural persons but rather corporations or similar artificial entities, and act through agents whose authority must be ascertained. Since reliably identifying a remote party involves considerable effort, establishing a remote party's digital signature capability specially for each of many transactions is inefficient. Instead, a prospective digital signer will often wish to identify itself with a key pair and reuse that identification in multiple transactions over a period of time.

To that end, a prospective signer could issue a statement such as: "Signatures verifiable by the following public key are mine". However, others doing business with the signer may well be unwilling to take the signer's own purported word for its identification with the key pair. Especially for electronic transactions made over worldwide information networks rather than face to face, a party would run a great risk of dealing with a phantom or an impostor, or of facing a disavowal of a digital signature by claiming it to be the work of an impostor, particularly if a transaction proves disadvantageous for the purported signer. To assure that each party is indeed identified with a particular key pair, one or more third parties trusted by both of the others must associate an identified person on one end of the transaction with the key pair creating the digital signature received at the other end, and vice versa. That trusted third party is termed a "certification authority" in the ABA Guidelines, the Utah Act, and most technical standards.

To associate a key pair with a prospective signer, a certification authority issues a certificate, an electronic record that sets forth a public key and represents that the prospective signer identified in the certificate holds the corresponding private key. That prospective signer is termed the "subscriber". Thus, a certificate's principal function is to identify a key pair with a subscriber, so that a person verifying a digital signature by the public key listed in the certificate can have assurance that the corresponding private key is held by the subscriber also listed in the certificate.

To assure the authenticity and inviolability of the certificate, the certification authority digitally signs it. The issuing certification authority's digital signature on the certificate can be verified using the public key listed in another certificate, and that other certificate can be verified by the public key listed in yet another certificate, and so on, until the person relying on the digital signature is adequately assured of its genuineness.

To make a public key and its identification with a specific subscriber readily available for use in verification, the certificate may be published in a repository. Repositories are on-line databases of certificates available for retrieval and use in verifying digital signatures. Often, retrieval is accomplished automatically by having the verification program inquire of the repository to obtain certificates as needed.

Once issued, a certificate may prove to be unreliable, such as in situations where the subscriber misrepresents his identity to the certification authority. In other situations, a certificate may be reliable enough when issued but come to be unreliable sometime thereafter. For example, if the subscriber loses control of the private key, the certificate becomes unreliable, since digital signatures created by the lost private key would appear to be the subscriber's according to the certificate. In such situations where the certificate has become unreliable, the certification authority, perhaps at the subscriber's request, may suspend (temporarily invalidate) or revoke (permanently invalidate) the certificate. Immediately upon suspending or revoking a certificate, the certification authority must publish notice of the revocation or suspension, or at least notify persons who inquire or who are known to have received a digital signature verifiable by reference to the unreliable certificate.

Challenges and Opportunities

The prospect of fully implementing digital signatures in general commerce presents both advantages and disadvantages, or benefits and costs. The costs or disadvantages consist mainly of:

On the plus side, the principal advantage to be gained is more reliable authentication of messages. Digital signatures, if properly implemented and utilized:

Considering the alternatives, such as paper signatures, computerized images of handwritten signatures, or typed signatures such as "s/John Smith", the benefits of digital signatures outweigh their burdens. The ABA Guidelines and Utah Act are intended to advance legal recognition of digital signatures and establish an institutional infrastructure to support digital authentication.


Note 1
See, e.g., Uniform Commercial Code § 1-201(39) (1992).
Note 2
This list is not exhaustive. For example, Restatement (Second) of Contracts notes another function, termed the "deterrent function", which seeks to "discourage transactions of doubtful utility. Restatement (Second) of Contracts § 72 comment c (1981). Professor Perillo also notes, in an especially comprehensive list, earmarking of intent, clarification, managerial efficiency, publicity, education, as well as taxation and regulation as functions as served by the statute of frauds. Joseph M. Perillo, The Statute of Frauds in the Light of the Functions and Dysfunctions of Form, 43 Fordham L. Rev. 39, 48-64 (1974) (hereinafter "Perillo").
Note 3
Restatement (Second) of Contracts, statutory note preceding § 110 (1982) (purpose of the statute of frauds, which includes a signature requirement); Lon L. Fuller, Consideration and Form, 41 Colum. L. Rev. 799, 800 (1941) (hereinafter "Fuller"); Jeremy Bentham, The Works of Jeremy Bentham 508-85 (Bowring ed. 1839) (Bentham called forms serving evidentiary functions "preappointed [i.e., made in advance] evidence"). A handwritten signature creates probative evidence in part because of the chemical properties of ink that make it adhere to paper, and because handwriting style is quite unique to the signer; Perillo at 64-69.
Note 4
2 John Austin, Lectures on Jurisprudence 939-44 (4th ed. 1873); Restatement (Second) of Contracts § 72 comment c (1982) and statutory note preceding § 110 (1982) (what is here termed a "ceremonial" function is termed a "cautionary" function in the Restatement); Perillo at 53-56; Fuller at 800; Rudolf von Jhering, Geist des römischen Rechts § 45 at 494-98 (8th ed. 1883) (hereinafter "Jhering").
Note 5
See Perillo at 47-48; Bruce Cohen, The Basis of Contract, 46 Harv. L. Rev. 553, 582-83 (1933).
Note 6
See United Nations Commission on International Trade Law (UNCITRAL) Draft Model Law on the Legal Aspects of Electronic Data Interchange (EDI) and Related Means of Data Communication art. 6 (1994). For example, a signature on a written contract customarily indicates the signer's assent. A signature on the back of a check is customarily taken as an endorsement; see also Uniform Commercial Code § 3-204 (1990).
Note 7
See Perillo at 50-53; Fuller at 801-802; Jhering § 45 at 494-97 (analogizing the form of a legal transaction to minting of coins, which serves to make their metal content and weight apparent without further examination).
The notion of clarity and finality from a form is related to the evidentiary function; the clarity and finality are largely predicated on form providing good evidence. In other words, the basic premise of the efficiency and logistical function is that a signed, written document is such a good indicator of what the transaction is that the transaction should be considered to be as the signed document says. The moment of signing the document thus becomes decisive.
This premise that a document can adequately capture a transaction has been undermined in modern times, except for negotiable instruments and certain other simple, highly stylized, and statutorily supported transactions. Rules designed to treat written documents as final, such as the common law's parol evidence rule, have been repealed or have degenerated to obstacles usually surmountable, albeit at a significant cost.
Note 8
See, e.g., United Nations Convention on International Bills of Exchange and International Promissory Notes arts. 3(1)(d) (bills of exchange) and 3(2)(d) (promissory notes); Uniform Commercial Code § 3-401 (1990) (a person is not liable on an instrument unless the person signed it); see generally Uniform Commercial Code § 3-104 (1990) (requirements for negotiability).
Note 9
2 Arthur L. Corbin, Corbin on Contracts § 279 at 20-23 (1950). In English law, the original 1677 statute of frauds was repealed in 1954 by the Law Reform (Enforcement of Contracts) Act, 2 & 3 Eliz. II, c. 34, except for its suretyship and real property provisions. However, it remains in force throughout the United States and in much of the British Commonwealth outside the United Kingdom.
Note 10
See Perillo at 41-42.
In Anglo-American law, many examples of the trend away from formal requirements can be cited, such as:
For a classic examination of the advantages and disadvantages of formal requirements, see Jhering at 470-504.
Note 11
Michael Braunstein, Remedy, Reason, and the Statute of Frauds: A Critical Economic Analysis 1989 Utah L. Rev. 383, 423-26 (1989); Jhering at 474 (inattention to legally appropriate form for expressing intent exacts its own consequences (rächt sich selber")).
Note 12
These effects include those listed in the U.S. Comptroller General's rationale for accepting digital signatures as sufficient for government contracts under 31 U.S.C. 1501(a)(1): "The electronic symbol proposed for use by certifying officers . . . embodied all of the attributes of a valid, acceptable signature: it was unique to the certifying officer, capable of verification, and under his sole control such that one might presume from its use that the certifying officer, just as if he had written his name in his own hand, intended to be bound." In re National Institute of Standards and Technology Use of Electronic Data Interchange to Create Valid Obligations, file B-245714 ( Comptroller Gen'l, 1991).
Note 13
A paper signature identifies the signed matter less than perfectly. Ordinarily, the signature appears below what is signed, and the physical dimensions of the paper and the regular layout of the text are relied upon to indicate alteration. However, those mechanisms are not enough to prevent difficult factual questions from arising. See, e.g., Citizens Nat'l Bank of Downers Grove v. Morman, 78 Ill. App. 3d 1037, 398 N.E.2d 49 (1979); Newell v. Edwards, 7 N.C. App. 650, 173 S.E.2d 504 (1970); Zions First Nat'l Bank v. Rocky Mountain Irrigation, Inc., 795 P.2d 658, 660-63 (Utah 1990); Lembo v. Federici, 62 Wash. 2d 972, 385 P.2d 312 (1963).
Note 14
The consequences of altering a signed writing are often serious. At Anglo-American common law, a material and fraudulent alteration of a written contract which is either integrated or required to be in writing makes the contract avoidable. Restatement (Second) of Contracts § 286 (1987). The rules regarding alterations in negotiable instruments are generally more limited in effect, see, e.g., United Nations Convention on International Bills of Exchange and International Promissory Notes art. 35 (material alteration without authorization or assent is ineffective, but the original text remains effective); Uniform Commercial Code §§ 3-416(a)(2), 3-417(a)(2), 4-207(a)(3), 4-208(a)(2) (1990) (state law throughout the United States).
Note 15
ISO/IEC JTC1/SC21 Project 97.21.9 Q53 (1989); Warwick Ford, Computer Communications Security: Principles, Standard Protocols & Techniques 29-30 (1994); Michael S. Baum, Federal Certification Authority Liability and Policy: Law and Policy of Certificate-Based Public Key and Digital Signatures 9 (1994).
Note 16
A nonrepudiation service provides only proof of facts to defend against an opponent's effort to avoid a transaction. See Michael S. Baum, Federal Certification Authority Liability and Policy: Law and Policy of Certificate-Based Public Key and Digital Signatures § 3 and appendix 1 § 2(d) (1994).
Note 17
For a more thorough examination of properties desirable in a digital signature, seegenerally Mitchell, Piper & Wild, Digital Signatures, in Contemporary Cryptology: The Science of Information Integrity 325, 341-46 (Gustavus Simmons ed. 1991).
Note 18
Although the roots of digital signatures lie in cryptography, a digital signature does not necessarily involve encryption or confidentiality of the signed message. Generally, a digital signature is an appendage to its message, and the transformations involved in creating the digital signature do not affect the message or make it confidential, although some implementations may provide for optional message confidentiality.
Note 19
Of course, the holder of the private key may choose to divulge it, or may lose control of it, and thereby make forgery possible. The ABA Guidelines and Utah Act seek to address this problem in two ways, (1) by requiring a subscriber, who holds the private key, to use a degree of care in its safekeeping (cf.12 C.F.R. part 205 (1994) (commonly termed "Regulation E"), and (2) enabling the subscriber to disassociate himself from the key by temporarily suspending or permanently revoking his certificate. See ABA Guidelines 3.11 and 3.12.
A variety of methods are available for securing the private key. The safer methods store the private key in devices about the size of a credit card or 3½-inch floppy disk. Such a device or "cryptographic token" executes the signature program within itself, so that the private key is never divulged outside the token and does not pass into the main memory or processor of the signer's computer. The signer must typically present to the token some authenticating information, such as a password, pass phrase, or personal identification number, for the token to run a process requiring access to the private key. Besides cryptographic tokens, other, generally less secure, methods exist for keeping the private key safe.
Note 20
Many cryptographic systems will function securely only if the keys are lengthy and complex, too lengthy and complex for a person to easily remember or use. In modern cryptography, keys are ordinarily kept and used on computer media.
Note 21
"Computationally infeasible" is a relative concept based on current and foreseeable technology. See Bruce Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C 7 (1994). Digital signature algorithms are available which have undergone extensive testing and cryptographic analysis to assure their impregnability under the most challenging present or foreseeable conditions. Their reliability is limited by an inability to predict the future, but they can nevertheless provide a degree of security better than available alternatives, including paper.
Note 22
See generally Warwick Ford, Computer Communications Security: Principles, Standard Protocols and Techniques 71-75 (1994); Charlie Kaufman, Radia Perlman & Mike Speciner, Network Security: Private Communication in a Public World 48-56 (1995) (hereinafter Kaufman, et al., Network Security).
Note 23
Bruce Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C 27-38 (1994).
Note 24
Hashing is a process by which a computer program arranges a body of information into a table. Hashing may serve a variety of programming objectives besides information security, such as look-up and retrieval. In the ABA Guidelines and Utah Act, "hash function" is used for the hashing portion of a program, and "hash result" is used to describe the index output from hashing. See ABA Guidelines 1.10 and 1.11.*
Note 25
See generally Warwick Ford, Computer Communications Security 75-84 (1994); Kaufman, et al., Network Security 101-27; Nechvatal, Public Key Cryptography, in Comtemporary Cryptology: The Science of Information Integrity 179, 199-202 (Gustavus Simmons ed. 1991); Bruce Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C 27-28 (1994).
Besides the properties listed above, a secure hash function also produces a hash result from which it is computationally infeasible to reconstruct the original message.
Note 26
It is extremely improbable that two messages will produce the same hash result. See Kaufman, et al., Network Security at 102.
Note 27
Bruce Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C 31-38 (1994).
Note 28
A digital signature should be time-stamped because a signer can prospectively terminate its digital signature capability by suspending or revoking the signer's association with the key pair as of a particular date. The time of a digital signature also needs to be checked against the validity period of the certificate, which is the record that links the signer to the key pair, to insure that the certificate has not yet expired.
Note 29
One property of the act of signing is that it is a discrete process for each signature; each act yields a result that can be considered unique. Each signature may accordingly be a distinct act of legal consequence. Multiple signatures may mean multiple obligations, or simply repetitions of the same obligation, depending heavily on the content of the signed message. Two signed checks for one hundred dollars each create a total obligation of $200; however, two identically worded documents, in which A agrees to sell and B agrees to buy certain land, most likely manifest a single contract of which two originals are extant.
Sometimes it is important to distinguish between originals and copies, to prevent copies from being mistaken for distinct obligations. The digital signature technology described in this tutorial does not address this need; however, systems could be devised incorporating additional functionality to distinguish between an original and its copies, if such a distinction is significant. Whether such a distinction is significant is a principal issue underlying Guideline 5.5 (digitally signed documents as originals).
Note 30
A hierarchy among certification authorities is implicit in some implementations of the requirement that a certification authority identify the subscriber with the public key of a certain key pair in a certificate, which the certification authority digitally signs. To digitally sign, a certification authority must itself have a key pair identified in another certificate signed by another certification authority. That certification authority must also have a key pair identified in yet another certificate, and so on. The chain of certificates suggests perhaps the rudiments of a heirarchical structure, which may assist in assuring that certification authorities are trustworthy. See Guideline 1.32, especially comment 1.32.4.