An electronic signature, or e-signature, refers to data in electronic form, which is logically associated with other data in electronic form and which is used by the signatory to sign. This type of signature provides the same legal standing as a handwritten signature as long as it adheres to the requirements of the specific regulation it was created under.
Electronic signatures are a legal concept distinct from digital signatures, a cryptographic mechanism often used to implement electronic signatures. While an electronic signature can be as simple as a name entered in an electronic document, digital signatures have strict compliance to standards irrespective of the vendor and is increasingly used in business transactions to implement electronic signatures in a cryptographically protected way. Standardization agencies like NIST or ETSI provide standards for their implementation. Electronic signatures are easier to implement compared to Digital signatures(Electronic signature with more security features) and it requires only a handwritten signature to a document. In traditional electronic signatures, there is not feature to validate if the signatures have been tampered with in contrast to digital signatures which provides independent verification and tamper evidence.
An electronic signature is intended to provide a secure and accurate identification method for the signatory to provide a seamless transaction. Definitions of electronic signatures vary depending on the applicable jurisdiction. A common denominator is the presence of an advanced electronic signature requiring that:
- The signatory can be uniquely identified and linked to the signature.
- The signatory must have sole control of the private key that was used to create the electronic signature.
- The signature must be capable of identifying if its accompanying data has been tampered with after the message was signed.
In the event that the accompanying data has been changed, the signature must be invalidated.
Electronic signatures may be created with increasing levels of security, with each having its own set of requirements and means of creation on various levels that prove the validity of the signature. To provide an even stronger probative value than the above described advanced electronic signature, some countries like the European Union or Switzerland introduced the qualified electronic signature. It is difficult to challenge the authorship of a statement signed with a qualified electronic signature – the statement is non-reputable. Technically, a qualified electronic signature is implemented through an advanced electronic signature that utilizes a digital certificate, which has been encrypted through a security signature-creating device and which has been authenticated by a qualified trust service provider.
Digital signatures are cryptographic implementations of electronic signatures used as a proof of authenticity, data integrity and non-repudiation of communications conducted over the Internet. When implemented in compliance to digital signature standards, digital signing should offer end-to-end privacy with the signing process being user-friendly and secure. Digital signatures are generated and verified through standardized frameworks such as the Digital Signature Algorithm (DSA).by NIST or in compliance to the XAdES, PAdES or CAdES standards, specified by the ETSI.
There are typically three algorithms involved with the digital signature process:
- Key generation – This algorithm provides a private key along with its corresponding public key.
- Signing – This algorithm produces a signature upon receiving a private key and the message that is being signed.
- Verification – This algorithm checks for the authenticity of the message by verifying it along with the signature and public key.
The process of digital signing requires that the signature generated by both the fixed message and private key can then be authenticated by its accompanied public key. Using these cryptographic algorithms, the user’s signature cannot be replicated without having access to their private key. A secure channel is not typically required. By applying asymmetric cryptography methods, the digital signature process prevents several common attacks.