What is a digital signature?

Fundamental principles
May 13, 2012 By Pierluigi Paganini

Private companies and governments agencies all around the word make huge investments for the
automation of their processes and in the management of the electronic documentation.

The main requirement in the management of digital documentation is its equivalence, from a legal
perspective, to paperwork, affixing a signature on a digital document is the fundamental principle on
which are based the main processes of authorization and validation, apart from the specific area of
application.

Main benefits for the introduction of digital signing processes are cost reduction and complete
automation of documental workflow, including authorization and validation phases.

In essence,

Private companies and governments agencies all around the word make huge investments for the
automation of their processes and in the management of the electronic documentation.

digital signatures allow you to replace the approval process on paper, slow and expensive, with a
fully digital system, faster and cheaper.

Figura 1 – Digital document lifecycle

The digital signature is simply a procedure which guarantees the authenticity and integrity of
messages and documents exchanged and stored with computer tools, just as in traditional
handwritten signature for documents. Essentially The digital signature of an electronic document
aims to fulfill the following requirements:

 that the recipient can verify the identity of the sender (authenticity);
 that the sender can not deny that he signed a document (non-repudiation);
 that the recipient is unable to invent or modify a document signed by someone else (integrity).

A typical digital signature scheme consists of three algorithms:

1. an algorithm for generating the key that produces a key pair (PK, SK): PK (public key, public key)
is the public key signature verification while SK (Secret Key) is the private key held by the
petitioner, used to sign the document.
2. a signature algorithm which, taken as input a message m and a private key SK produces a
signature σ.
3. a verification algorithm which, taken as input the message m, public key PK and a signature σ,
accepts or rejects the signature.

To generate a digital signature is necessary to use the digital asymmetric key pair, attributed
unequivocally to a person, called holder of the key pair:

 The private key is known only by the owner, it is used to generate the digital signature for a
specific document;
 The public key is used to verify the authenticity of the signature.

Once the document is signed with the private key, the signature can be verified successfully only
with the corresponding public key. Security is guaranteed by the impossibility to reconstruct the
private key (secret) from the public, even if the two keys are uniquely connected.

Digital Signature Process

A Digital signature is a one-way hash, of the original data, that has been encrypted with the signer’s
private key. A digital signature process is composed by the following steps:

 The signer calculates the hash for the data he needs to sign. The message digest is a file size small
(160-bit SHA-1 now deprecated, with 256-bit SHA-256) that contains some sort of control code
that refers to the document. The hash function is produced minimizing the likelihood to get the
same value of the digest from different texts and is also “one way” function: this means that from
calculates hash it is impossible to get back the original text.
 The signer, using his private key, encrypt the hash calculate.
 Signer sends the original data and the digital signature to the receiver. The pair (document and
signature) is a signed document or a document to which was attached a signature. The document
is in clear text but it has the signature of the sender and can be sent so that it can be read by
anyone but not altered since the digital signature guarantees also integrity of the message.

For the verification, The receiving software first uses the signer’s public key to decrypt the hash,
then it uses the same hashing algorithm that generated the original hash to generate a new one-way
hash of the same data. The receiving software compares the new hash against the original hash. If
the two hashes match, the data has not changed since it was signed.
 Figura 2 – Digital Signature Process

The authenticity of a document can be verified by anyone decrypting the signature of the document
with the sender’s public key, obtaining the fingerprint of the document, then comparing it with that
obtained by applying the hash function (which is known) to the document received which was
attached the signature. If the two fingerprints are equal, the authenticity and integrity of the
document are demonstrated.
The signing and verification operations may be delegated to a schedule issued by the certification.
Thanks to the mechanism shown, the digital signature ensures non-repudiation: the signer of a
document transmitted cannot deny having sent it and the receiver can deny to have received it. In
other words means that the information cannot be ignored, as in the case of a conventional signature
on a paper document in the presence of witnesses.

The advantages of digital signatures

The activation of a fully automated workflow, digital signatures, reduce time and costs associated
with the signatures on paper, the latter in fact have an economic cost and create delays and
inefficiencies.
An estimate provided by ARX on the basis of current data sets that each of their clients handwritten
signature on a paper document to determine the company at a cost of $ 30 U.S including costs
associated with paper, printing costs, of signing, scanning, forwarding, storage and regeneration of
lost or missing documents. According to the study of ARX, a person authorized to sign documents
marking more than 500 documents a year.

The digital signatures process is essential for the formal approval processes of every companies, a
typical scenario require multiple authorization of multiple offices for each document.

Thus digital signatures allow alternate approval processes, collaboration and delivery of paper
(expensive and slow), with a digital system (faster, cheaper and more efficient).This results in a
number of advantages:

 improved operational efficiency, reduce cycle time and elimination of costs;

 risk mitigation, compliance assurance, data quality and long-term storage of files;
 increase the competitiveness and service levels.

Resuming, digital signatures can reliably automate the signatures of authorization allowing the
elimination of paper, reducing costs and improving the speed of production processes.
By virtue of all these advantages, the digital signature can be particularly useful for:

 Government agencies in regulated sectors with workflows

subject to formal approval;
 organizations must submit documents that need to be
approved by various offices;
 representatives of organizations that use, or services that
require commercial building and the provision of reports
or contracts signed;
 Away from executives such as a signature is required to
activate the processes;
 organizations which cooperate with external partners and
require approval for workflows;
 Web portals with external modules that require
compilation and signing.
 Note that the type of documents to which to apply the
digital signature is particularly composite, and includes:
 sales proposals, contracts with customers.
 purchase orders, contracts / agreements with partners.
 contracts, agreements, acts of the board.
 leases, contracts, expense reports and reimbursement
approvals.
 Human Resources: Documentation of employment of
employees, presence control cards.
 Life Sciences: Questions and proposals, QC records,
standard operating procedures (SOPs), policies, work
instructions.
 Mechanical work: drawings, sketches, plans, instructions
and relations of production.
health services: medical and patient consent forms,
medical exams, prescriptions, laboratory reports.
 How to Secure Digital Signatures

By Aaron Weiss,
Posted January 9, 2014
Hackers have found many ways to exploit digital certificates. What
can you do to defend yourself against digital certificate risks?
SHARE

SECURITY DAILY NEWSLETTER

GET SECURITY NEWS IN YOUR INBOX EVERY DAY

| NewsLetter Submission

Sponsored Content

Connecting the Dots: The Rise of Security Operations Centers

By Michael Stevens for HP

Most Recent Network Security Articles

 How to Conduct a Vulnerability Assessment: 5 Steps toward Better Cybersecurity

 How to Manage a Security Operations Center
 Vulnerability Scanning: What It Is and How to Do It Right
 Top 10 Takeaways from RSA Conference 2019
Download our in-depth report: The Ultimate Guide to IT Security Vendors

SHARE

"Trust no one" is a saying embraced by everyone from punk rockers to "X-Files" fans
to privacy advocates. But in the real world, life would come to a grinding halt without
any trust at all.

Likewise, computer security has always involved some degree of trust. Trusted
networks, trusted hosts, and trusted apps are granted privileges unavailable to their
untrusted counterparts. But punk rockers aren’t exactly wrong; trust can be a
dangerous thing.

Digital signatures, certificates signed with a private key which is intended to ensure
recipients of the identity of the certificate's owner, are built on the principle of trust.
The certificate is issued by a CA, or certificate authority, itself a form of trust. The CA
is granted the power to issue these certificates, and therefore we trust them.

The private key used to sign the certificate is a cryptographic token owned by the
organization or individual whose identity is linked to that key. In short, a piece of
software digitally signed by Microsoft can be trusted to actually be created by
Microsoft.

Digital Certificates and Malware

Trust is flawed. When we program our systems to trust the sheep, the malicious
hackers (wolves) turn their efforts to creating a costume that looks like a sheep. The
hackers have succeeded so well that, according to a 2012 McAfee report, over
200,000 pieces of malware have been identified which present legitimate digital
signatures. In other words, the wolves are literally running loose around the world
dressed like sheep.

Imperva Incapsula Guide: Protecting SaaS Apps

from DDoS Attacks
Download

Download

The Ultimate Guide to IT Security Vendors

Download

Download

The modern era of digital signature hacking arguably was accelerated by the famous
Stuxnet attack in 2010. Malware which targeted industrial control systems (now
known to have been created by the U.S. government for cyberwarfare) was "signed"
using digital signatures from respected technology companies like Realtek and
JMicron. Experts believe malware called Zeus, which can search for and retrieve
private keys from infected machines, was used to steal the signatures.

Today, theft of digital signatures is virtually a cottage industry among malicious

hackers. Even a single piece of malware -- such as the fake anti-virus scanner
"Antivirus Security Pro" -- contains a dozen digital signatures stolen from legitimate
companies.

Lessons from Master Key Compromise

Dressing as sheep is just one strategy used by malicious hackers. Avoiding
detection altogether is also becoming widely used tactic. On the Android mobile
platform, the most famous such compromise is known as the Master Key
compromise.

Revealed this past July, the Master Key compromise is not actually a compromise of
digital signatures themselves. Instead, it exploits a flaw in Android which fails to
correctly detect when an app’s data does not match the inventory verified by its key.
This security hole allowed hackers to create malicious Android apps which contained
malware code that the system would install after being fooled by the digital signature.

Google has since patched Android to fix the vulnerability, but because of device
fragmentation in the Android market, it is up to each handset vendor to propagate
updates to devices – which sometimes never happens.

For Android users – such as enterprises using company-issued Android devices or

those with BYOD policies which allow employee-owned devices on the corporate
network – the best defense is the same advice as always: Only install apps from the
Google Play store.

Although security researchers have detected 700,000 pieces of Android malware,

these apps circulate outside the Google Play store and must be sideloaded onto an
Android device. This requires disabling the default in Android which prevents
installing apps from unapproved sources. In short, the best defense is "don’t do that!"

Digital Certificates and Limits of Trust

Every enterprise must mitigate against malware risks. The usual defense policies all
apply – particularly active network scanners and employee education against
"unsafe" behaviors like opening unknown email attachments.

Some exploited digital signatures are detected as suspicious by operating systems

and malware scanners. For example, when a private key is stolen, the Certificate
Authority can revoke that key. Revoked certificates should prevent automatic
installation of low-level malware-laced software such as device drivers.

But users often instinctively ignore or click-through warnings about esoteric details
like expired digital certificates when installing software. Defending against this
behavior requires specific education about digital certificates, and possibly even a de
facto ban against installing any software with questionable digital certificates.

Securing Digital Certificates

While many enterprises already focus significant resources defending against
malware attacks, the sheer quantity of stolen digital certificates suggests that similar
efforts are not invested in protecting an organization’s private keys.

It is bad news for an organization whose private keys have been stolen and exploited
to sign digital certificates used in malware. Not only does this harm trust in the
enterprise and their security practices, but their certificates will need to be revoked
and re-issued, potentially affecting a large base of customers.

Hackers typically steal private keys through a malware compromise of corporate

machines. Among particularly attractive targets are companies which develop
software and therefore actively generate and distribute digital certificates. When
hackers gain access to development machines, they will look for exposed private
keys to steal. The fact that so many forged digital certificates are now in the wild
demonstrates the success of this strategy.

The best defense for organizations is simple to say and complex to implement: Keep
your private keys secure.

Policies that support this goal include:

 Store private keys on a network separate from general enterprise activity.

 Store private keys in encrypted containers or encrypted physical devices
(such as secure thumb drives) stored in a secure location.
 Strictly limit access to private keys on a “need to know” basis.
 Consider using a digital certificate and key management system.

Aaron Weiss is a technology writer and frequent contributor to eSecurity Planet and
Wi-Fi Planet.
Singapore Government Initiative for Enterprise Digitalization

Every Enterprise has so many challenges in handling business documents . We listed thirty
questions of our customers.

1. When they send docs using company email id , the document is Hacked , Document content is
Hacked, Email message is Hacked, Web site is Hacked . How it can be avoided ?

2.The recipient is asking the authenticity of document sender & time stamp of sign. how do we give
it ?

3.Lot of scams are happening in handling electronic signature . how to have a secure electronic
signature?

4.how to keep the document Tamper proof /Safe and Secure ?

5.How to attach validity to document ?

6.How to secure the document Without touching the content?

7.How to avoid misuse of digital certificate ?

8.How to improve the approval process which needs fastest TAT ?

9.How to automate the approval workflow ?

10. How to keep the backup? where to keep the backup?

11.How can we prepare organization certified digital certificate internally ?

12.How can we work with third party certification authority ?

13.How do we perform bulk sign as batch mode when signed documents are on demand?

14.IS there a way to digitally sign my web site ?

15.IS there a way to extract data from pdf and automate the PO Approval?

Enterprise Digitalization challenges ?

17.Can I allow digital signer to sign only documents of certain amount ?How to do it ?

18.Can I allow digital signer to sign only documents certain moths old ?

19.Can i allow only digital signature signing if signer is the owner of the document?

20.Can i allow only digital signature signing if signer is allowed to sign certain country document?

21.Can i allow only digital signature signing if signer is allowed to sign certain client PO document?

22.Can i allow only digital signature signing if signer is allowed to sign certain client PO document?

23.How to make office document as a trusted / tamper proof / secure document?

24.How can we perform multiple digital signatures in the document?

25.How can we do attestation in the document ?

26.How can we perform attestation with sign in the document?

27.How can we get the inbox documents automatically and perform signing?

28.How do we keep different set of documents ?

29.Howw do we perform Realtime processing?

30.How do we assure the sending document signed ?

If you want to get ride of these challenges , we have a Digital signature solution

Digital Signature E-mail write up:

In today’s hyper-connected digital world, the traditional methods of signing and authenticating the
documents are being replaced by digital Signatures. The effectiveness of the digital signature is
creating the urgency to adapt. This is the best time for the firms to replace traditional methods of
signing with digital signature to tackle the most common Realistic Issues. Versant System’s has
created a Ten Layer Security Digital Signature to help the organizations - To Reduce Cost, To
optimize Processes & Efficiency and Enhance data security & privacy./It helps organizations to
increase Efficiency, Compatibility and Integrity. Please find the attachment of the snapshot.

tamper proof, fraud proof, and error proof. T

Private companies and governments agencies all around the word make huge investments for the
automation of their processes and in the management of the electronic documentation like Digital
Signature.
Digital signatures allow you to replace the approval process on paper, slow and expensive, with a
fully digital system, faster and cheaper.

Is the digital signature applicable a every

enterprise as a need or an option ?
Please answer YES /NO questions below which assess the need of digital signature in your
company as a required need.

Do you like to send your document and its contents with Tamper proof, Fraud proof, and
Error proof during your business transactions with your partners and customers?
Do you like to have digitally signed email and digitally signed web site in order to have secure
communication with your partners and customers?
Do you like to send Trusted and Secure(Encrypted) business documents of higher business
value in terms of cost ,legal, importance, confidentiality, security?
Do you allow us to replace the approval process on paper, slow and expensive, with a fully digital
system, faster and cheaper

If you answer “YES” to above questions ,

Search over 360 million presentations...

Login Get Started

TRENDING SEARCHES
Thermal DynamicsClimate ChangeTimelineTemplateEntropy

Learn about Prezi

Report

Hacking/Phishing/Pharming/Digital Signature/SSL!!!

VC
valentina cantor giraldo
Updated 20 May 2016
TRANSCRIPT

what is phishing?
what is Hacking ?
in conclution:
what is SSL?
good hacking
bad hacking
Digital certificates: Legitimate Web servers can differentiate themselves from illegitimate sites by
using digital certificates; websites using certificate authentication are more difficult to spoof.
Consumers can use the certificate as a tool to determine whether a site is trustworthy.

examples:
is a scamming practice in which malicious code is installed on a personal computer or server,
misdirecting users to fraudulent Web sites without their knowledge or consent.

example:
Someone who is very good at computer programming, networking, or other related computer
functions and loves to share their knowledge with other people
examples :
A digital signature is basically a way to ensure that an electronic document (e-mail, spreadsheet, text
file, etc.) is authentic. Authentic means that you know who created the document and you know that it
has not been altered in any way since that person created it.
Digital signatures rely on certain types of encryption to ensure authentication. Encryption is the
process of taking all the data that one computer is sending to another and encoding it into a form that
only the other computer will be able to decode. Authentication is the process of verifying that
information is coming from a trusted source. These two processes work hand in hand for digital
signatures.

what is pharming?
A digital signature (not to be confused with a digital certificate) is a mathematical technique used to
validate the authenticity and integrity of a message, software or digital document.

examples:
In computer networking, hacking is any technical effort to manipulate the normal behavior of network
connections and connected systems. A hacker is any person engaged in hacking. The term "hacking"
historically referred to constructive, clever technical work that was not necessarily related to computer
systems.
is a form of fraud in which the attacker tries to learn information such as login credentials or account
information by masquerading as a reputable entity or person in email, IM or other communication
channels.
Someone who uses their expert computer skills and knowledge to gain unauthorized access to
systems, corporations, governments, or networks.

Hacking/Phishing/Pharming/Digital Signature/SSL!!!
There are many ways to save personal information, talking to people, other things.
but also there are ways that you can steal, remove important information, modify data, and much
more...
for these reasons, there are forms of securities which help us to keep this information secure.
must remember that not everything is good or bad, this is decided by the person who uses it since
you can use both things to bad things.

what is Digital Signature?

These are some examples of phishing emails seen on campus. Do NOT assume a suspect email is
safe, just because it is not listed here. There are many variants of each, and new ones are being sent
out each day.
an example of this is that a form can be easy and useful to protect work and information that you want
to send, display and save. as: the constranenas, users, and special keys.
is a standard security technology for establishing an encrypted link between a server and a client—
typically a web server (website) and a browser; or a mail server and a mail client .

What is a digital signature? Fundamental principles

May 13, 2012 By Pierluigi Paganini

Private companies and governments agencies all around the word make huge investments for the
automation of their processes and in the management of the electronic documentation.

The main requirement in the management of digital documentation is its equivalence, from a legal
perspective, to paperwork, affixing a signature on a digital document is the fundamental principle on
which are based the main processes of authorization and validation, apart from the specific area of
application.

Main benefits for the introduction of digital signing processes are cost reduction and complete
automation of documental workflow, including authorization and validation phases.

In essence, digital signatures allow you to replace the approval process on paper, slow and
expensive, with a fully digital system, faster and cheaper.
Figura 1 – Digital document lifecycle

The digital signature is simply a procedure which guarantees the authenticity and integrity of
messages and documents exchanged and stored with computer tools, just as in traditional
handwritten signature for documents. Essentially The digital signature of an electronic document
aims to fulfill the following requirements:

that the recipient can verify the identity of the sender (authenticity);

that the sender can not deny that he signed a document (non-repudiation);

that the recipient is unable to invent or modify a document signed by someone else (integrity).

A typical digital signature scheme consists of three algorithms:

an algorithm for generating the key that produces a key pair (PK, SK): PK (public key, public key) is
the public key signature verification while SK (Secret Key) is the private key held by the petitioner,
used to sign the document.

a signature algorithm which, taken as input a message m and a private key SK produces a signature
σ.

a verification algorithm which, taken as input the message m, public key PK and a signature σ,
accepts or rejects the signature.

To generate a digital signature is necessary to use the digital asymmetric key pair, attributed
unequivocally to a person, called holder of the key pair:

The private key is known only by the owner, it is used to generate the digital signature for a specific
document;

The public key is used to verify the authenticity of the signature.

Once the document is signed with the private key, the signature can be verified successfully only
with the corresponding public key. Security is guaranteed by the impossibility to reconstruct the
private key (secret) from the public, even if the two keys are uniquely connected.

Digital Signature Process

A Digital signature is a one-way hash, of the original data, that has been encrypted with the signer’s
private key. A digital signature process is composed by the following steps:
The signer calculates the hash for the data he needs to sign. The message digest is a file size small
(160-bit SHA-1 now deprecated, with 256-bit SHA-256) that contains some sort of control code that
refers to the document. The hash function is produced minimizing the likelihood to get the same
value of the digest from different texts and is also “one way” function: this means that from
calculates hash it is impossible to get back the original text.

The signer, using his private key, encrypt the hash calculate.

Signer sends the original data and the digital signature to the receiver. The pair (document and
signature) is a signed document or a document to which was attached a signature. The document is
in clear text but it has the signature of the sender and can be sent so that it can be read by anyone
but not altered since the digital signature guarantees also integrity of the message.

For the verification, The receiving software first uses the signer’s public key to decrypt the hash,
then it uses the same hashing algorithm that generated the original hash to generate a new one-
way hash of the same data. The receiving software compares the new hash against the original hash.
If the two hashes match, the data has not changed since it was signed.

Figura 2 – Digital Signature Process

The authenticity of a document can be verified by anyone decrypting the signature of the document
with the sender’s public key, obtaining the fingerprint of the document, then comparing it with that
obtained by applying the hash function (which is known) to the document received which was
attached the signature. If the two fingerprints are equal, the authenticity and integrity of the
document are demonstrated.

The signing and verification operations may be delegated to a schedule issued by the certification.

Thanks to the mechanism shown, the digital signature ensures non-repudiation: the signer of a
document transmitted cannot deny having sent it and the receiver can deny to have received it. In
other words means that the information cannot be ignored, as in the case of a conventional
signature on a paper document in the presence of witnesses.

The advantages of digital signatures

The activation of a fully automated workflow, digital signatures, reduce time and costs associated
with the signatures on paper, the latter in fact have an economic cost and create delays and
inefficiencies.

An estimate provided by ARX on the basis of current data sets that each of their clients handwritten
signature on a paper document to determine the company at a cost of $ 30 U.S including costs
associated with paper, printing costs, of signing, scanning, forwarding, storage and regeneration of
lost or missing documents. According to the study of ARX, a person authorized to sign documents
marking more than 500 documents a year.
The digital signatures process is essential for the formal approval processes of every companies, a
typical scenario require multiple authorization of multiple offices for each document.

Thus digital signatures allow alternate approval processes, collaboration and delivery of paper
(expensive and slow), with a digital system (faster, cheaper and more efficient).This results in a
number of advantages:

improved operational efficiency, reduce cycle time and elimination of costs;

risk mitigation, compliance assurance, data quality and long-term storage of files;

increase the competitiveness and service levels.

Resuming, digital signatures can reliably automate the signatures of authorization allowing the
elimination of paper, reducing costs and improving the speed of production processes.

By virtue of all these advantages, the digital signature can be particularly useful for:

Government agencies in regulated sectors with workflows subject to formal approval;

organizations must submit documents that need to be approved by various offices;

representatives of organizations that use, or services that require commercial building and the
provision of reports or contracts signed;

Away from executives such as a signature is required to activate the processes;

organizations which cooperate with external partners and require approval for workflows;

Web portals with external modules that require compilation and signing.

Note that the type of documents to which to apply the digital signature is particularly composite,
and includes:

sales proposals, contracts with customers.

purchase orders, contracts / agreements with partners.

contracts, agreements, acts of the board.

leases, contracts, expense reports and reimbursement approvals.

Human Resources: Documentation of employment of employees, presence control cards.

Life Sciences: Questions and proposals, QC records, standard operating procedures (SOPs), policies,
work instructions.

Mechanical work: drawings, sketches, plans, instructions and relations of production.

health services: medical and patient consent forms, medical exams, prescriptions, laboratory
reports.