Digital signature overview

A digital signature is an electronic, encrypted stamp of authentication on digital information such as messages. The digital signature confirms the integrity of the message.

This signature ensures that the information originated from the signer and was not altered, which proves the identity of the organization that created the digital signature. Any change made to the signed data invalidates the whole signature.

The use of digital signatures is important because they can ensure end-to-end message integrity, and can also provide authentication information about the originator of a message. To be the most effective, the digital signature must be part of the application data so that it is generated at the time the message is created. Then, the signature is verified at the time the message is received and processed. You can choose to sign the entire message, or sign parts of the message (even overlapping parts of a message can be signed). You can choose to sign only parts of a message if a part of the message must be modified before it reaches the consumer. In this scenario, if the entire message was signed, the whole signature is invalidated if even one part of the message is modified. You can specify partial signatures for a message by specifying an ID attribute for every element that you want to sign and adding a reference.

Important: To ensure message integrity, use XML digital signatures with your private key. This signature can be validated by the recipient with the sender’s digital certificate (public key). When you create a signature with an X.509 certificate token, ensure that it uniquely and irrefutably specifies the certificate under which the signature was created.

A digital signature for an electronic message is created by using a form of cryptography and is equivalent to a personal signature on a written document. The digital signature on a message provides a unique electronic binding of the identity of the signer to the origin of the message. A digital signature provides proof of the message origin and a method to verify the integrity of the message. A digital certificate owner combines the data to be signed with their private key, and then transforms the data with an algorithm. The recipient of the message uses the corresponding certificate public key to decrypt the signature. The public key decryption also verifies the integrity of the signed message and verifies the sender as the source. Only the organization with the private key can create the digital signature. However, anyone that has access to the corresponding public key can verify the digital signature.

The digital signature is based on the XML-signature syntax and processing specification that is defined for WS-Security. This specification defines an XML syntax for digital signatures (the processing rules for creating and verifying XML signatures). The SignedInfo element describes the signed content of the message. It also includes the syntax for representing the resulting signature information. The signature algorithm for signing the message is specified in the SignatureMethod element. The DigestMethod element specifies the digest algorithm that is applied to the signed message. The resulting digital signature value and digest value are encoded with base64 and are specified in the SignatureValue element and the DigestValue element.

A digest is a fixed length, short message whose digital signature can be quickly generated and verified. Using a digest facilitates faster processing and is important for performance reasons. The payload of a message can be large, and the process of applying a public key algorithm to the entire message can significantly impact system performance. When the message is received and a digest is used, B2B Advanced Communications computes the digest. Additionally, it verifies that the newly computed digest matches the digest that was sent.

In B2B Advanced Communications only inbound document exchange is supported with digital signatures for an anonymous partner.

Important: If you are using digital signatures, define the content types that must be excluded from canonicalization to B2B Advanced Communications through the Systems Management > System Settings interface. Using digital signatures and canonicalization can adversely affect system performance, because computing and verifying XML signatures is very resource-intensive.

The steps of the digital signature process are as follows:

  1. The sender computes a message digest (with an algorithm such as RSA or SHA1) and then encrypts the digest with their private key, which forms the digital signature. Multiple signatures and signature formats can be attached to a message, each referencing different (or even overlapping) parts of the message.
  2. The sender transmits the digital signature with the message.
  3. The receiver decrypts the digital signature with the public key of the sender, thus regenerating the message digest.
  4. The receiver computes a message digest from the message data that was received, and verifies that the two digests are the same. If these digests match, the message is both intact and authentic.

When a content creator digitally signs a message, the signature must meet the following criteria to be valid:

  • The certificate that is associated with the digital signature is current (not expired).
  • The certificate that is associated with the digital signature is issued to the signing publisher by a reputable certificate authority (CA). The CA signs certificates that it issues. The signature consists of a data string that is encrypted with the private key of the CA. Any user can then verify the signature on the certificate by using the CA public key to decrypt the signature.
  • The publisher (the signing organization), is trusted.
    Important: Signed messages with a valid time stamp are considered to have valid signatures, regardless of the age or revocation status of the signing certificate.
A digital signature is used to assure:
The identity of the organization that sent the message (the message signer) is confirmed.
The message content was not changed or tampered with since it was digitally signed.
Tip: You can also encrypt the message, which protects the confidentiality of the information in the message.
The origin of the signed content is verified to all parties so the message signer cannot deny association with the signed content.