How do you know if a digital signature is trustworthy?

What is the digital signature and its accompanying timestamp? Can you fake both of them or verify the signature on paper? Can you print out the timestamp, what is the signature container, and can you use the open source code to create a fake DigiDoc programme to give the impression of a valid digital signature? Tanel Tammet, professor at the School of Information Technologies, Department of Software Sciences at TalTech, explains the inner workings of the digital signature.

What is the digital signature?

Essentially it is an encrypted string of text that originates from the file that’s being signed and the signee’s secret key – the private key is only on the eID of the person giving the signature. Anyone can check if the encrypted piece of text is in coherence with the file and if it complies with the signee’s public key. The digital signature cannot be falsified because if you don’t have the signee’s private key (as it is well hidden on their eID), then you cannot create a matching encrypted text string.

What is the timestamp on the digital signature?

In addition to the encrypted text, Estonian digital signatures also include a timestamp, which is essentially an additional digital signature. It’s an encrypted string of text that is created by the central server and it contains the time of the signature. The idea is that the timestamp is secure and reliable and everyone can use it to check when exactly the signature was given. In the Estonian digital signature system there is always essentially two signatures: one that is given using the secret private eID key, and another by the central server that validates the exact time of the signature.

Can you print out the timestamp?

The Estonian digital signature software DigiDoc does give the option to print out the confirmation sheet that contains information about the signature and its timestamp. Theoretically, you could use this to check if the signature and timestamp are real. In practice, however, it is almost never used for actual validation because you would need to type the text strings up on a computer again, use special validation software, and even then it wouldn’t have all the information you need to run the check.

If a paper document is marked as signed digitally and it is accompanied with the confirmation sheet, does this mean the signature is valid?

Typically it’s not really used since the additional sheet of paper does not enable full control over the validity of the signature. The idea behind the confirmation sheet is that it’s like an additional confirmation that the document appears to be signed, however, the paper itself cannot be used to check the validity of the signature.

Is it technically possible to falsify a digital signature?

Well, not so long ago the ID card software was discovered to have a weakness that, if attacked with a lot of computer power and time and cost expensive calculations, could have been exploited to fake a digital signature. Of course, provided that you actually knew the person’s public key. The software currently in use does not have any such known weaknesses, so technically it is not possible in practice.

Can you fake the timestamp – is it even possible and has it ever been done?

The timestamp is basically also just a digital signature that the central server adds to the signature given by a human by adding the time. To falsify that, you’d need to know the private key of the central server, which, of course, is securely hidden. It’s important to note that both of these “signatures” – one by human and the other by the server – are two different things and even if you could fake one of those, it wouldn’t help you with the other. Again, no digital signature can be 100 % safe from falsifying, but in practice, it would be unreal. Even if such an opportunity would manifest itself, it would be quickly discovered and the software fixed, like it was the case with the Estonian ID-card.

Are other countries using something similar to the Estonian solution?

The Estonian digital signature is in accordance with the cross-European eIDAS standard, but in reality the application and areas of use are different in different countries. Estonia is definitely a European leader in using the digital signature in daily life.

What is the digital signature’s container?

The container is just a compressed file containing the original signed document and the two signatures – the human signature and the timestamp by the server – than can easily be validated with the ID-card software.

If someone shows me a container where the signature is marked as valid, can I be 100 % sure it is really valid? The DigiDoc source code is public, can it be used to create your own fake DigiDoc where signatures are shown as valid?

In principle you could build software similar to the DigiDoc, that won’t actually check anything and just show on the screen that the fake signature is valid. You can be 100 % sure of the digital signature if you’ve downloaded the official DigiDoc software to your computer and used it to validate the signature yourself.

How long is a digital signature valid?

I’m not entirely sure of the legalities, but from my understanding it should be valid unlimited time. Of course, there is always a theoretical possibility that at some point a new way to fake the signature and its timestamp are discovered. This would render all old digital signatures unreliable and they would need to be re-signed with the new future system to show that the signatures were given before the falsification became possible.

If a document is signed digitally, is it automatically modified to show that it is signed and the date?

No, the digital signature won’t change the content of the actual original document in any way. The only confirmation of the signature is the signature file itself, that is created by the software.

Can you trust digital signature?

What is required to verify a valid digital signature?