How digital signatures differ from pen and ink signatures.

by jamesd@echeque.com

Back to main CryptoKong page


Digital signatures are not quite the same as pen and ink signatures, and do something subtly different from what pen and ink signatures do.

A pen and ink signature is a biometric, not a secret. By careful examination of the physical paper, one can determine that a live person actually swished a pen over the paper, and thus that a live person with certain distinctive habits of writing made that mark. No secret is involved, but it is physically difficult for one living person to perfectly imitate another.

Of course if one attempts to fax a live signature, or otherwise transmit it electronically, it (being a biometric and not a secret) instantly becomes very limited in value, since one can trivially lift the bitmap from one signed document, and apply that bitmap perfectly to another signed document, and one can with similar ease edit the electronic document, leaving no trace.

To imitate the functionality of a biometric signature in electronic form, one could perhaps vidoetape someone summarizing the document, or reading it aloud in full, and than orally stating he agrees to it, or witnesses something about it, or will perform it. However a digital scan of physical paper signed with physical ink is not going to give the functionality of physical paper signed with physical ink.

Digital signatures rely on a secret, either a secret passphrase, or, more commonly, a secret file. Anyone (without needing to know the secret) can check that two documents were signed by the same secret, and thus presumably by the same person, and that neither document has been changed since it was signed.  A digital signature is a seemingly random pattern of characters, which typically looks something like this:

    --
this is a signed document
    --digsig
         James A. Donald
     6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
     WZpbVqsJAyyv5lIJFe1xAnTgNcPuYuhMEASCN82V
     42n66jGGAXQ6R2kNeMUedQsobPjpV9UNZzALxAC1q
Those seemingly random characters depend both on the secret, and on the document being signed. Thus any small change in the document after it was signed will cause the document to fail to match the signature.

Thus if I add a full stop, the signed document looks like this.

    --
this is a signed document.
    --digsig
         James A. Donald
     6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
     CsMYRG969XQ7CJhkpHmPcigu8yG+YhFGW1+QrgtC
     4f5YXFqLPhvouhqn1OHNTWpDNc4UsqRjw4xnGJMT8
The second and third lines depend on the document, and so look completely different, but the program can tell that the two documents have matching signatures.

One digital signature by itself proves nothing.

Two digital signatures on two different documents which match each other (match in the sense that the software recognizes them as equivalent, even though to a human they look like completely random unrelated gibberish) prove that the documents have not been altered after being signed, and that they were signed using the same secret, thus presumably by the same person.

A Verisign certificate of identity is actually a document signed by so and so, and then signed by Verisign asserting that the person signing the document really is so and so. If the signature on another document matches so and so's signature in the Verisign certificate, and the Verisign signature on the certificate matches the one on the Verisign site, then this proves the other document was signed by so and so.

Thus using a Verisign digital signature system involves at least four signatures, and two signature comparisons. Verisign is acting like a notary public, certifying that it has some information suggesting that your name and identity actually is as represented. Crypto Kong does nothing like this. It merely proves that two documents were signed by the same person. You could sign them both "Queen Elizabeth" and the program would then announce that the signature on this document signed "Queen Elizabeth" matches the signature on another document in its database signed Queen Elizabeth". Verisign, on the other hand, would protest if someone asked for a digital certificate in the name of Queen Elizabeth.