Digital signatures in the blockchain — an introduction

16.5.2018 / Falk Borgmann, Strategy Consultant, Deepshore GmbH

About signatures, encryption, and PKI

Digital signatures and other security measures continue to gain in relevance — both within the enterprise and for consumer applications. For a complete evaluation from the decision-maker’s perspective, it is important to understand the fundamentals, and most of all the difference between what are at first glance very similar-sounding procedures. That’s what we’ll cover in this first post on the topic.

Digital signatures ensure that, when sending a digital information such as an email electronically from point A to point B, the information that is received is truly identical to the information that was sent. The current state of the art usually involves an asynchronous (two-stage) procedure using a private key to sign the message and a public key for verification. With signatures, however, the content of the message is not protected against snooping by unauthorized third parties. Conventional digital signatures therefore only help ensure the authenticity of the content and identify the sender. But signatures alone cannot protect the content from illicit access.

That’s where encryption comes in. Encryption makes the content of a message impossible to read by unauthorized third parties. In practice, both procedures are frequently used in tandem. People often refer to this combination of technologies as an electronic signature. In Germany, this is a legal term that can be broken down into three groups.

1. General electronic signatures
2. Advanced electronic signatures
3. Qualified electronic signatures

The differences between these three levels lie in their suitability as legal evidence, with the qualified electronic signature representing the highest level from a legal perspective. In this context, what is known as a PKI (public key infrastructure) is often used. A major component of a PKI is the certificate authority (CA). A CA issues certificates as a neutral party to certify the public key a sender uses in a PKI. If you want to send data in this manner, the sender must apply for a public key certificate from a CA. This process involves the CA checking the identity of the applicant.

A public key and the accompanying certificate is only provided once this verification takes place. Potential data recipients use this key to validate messages via the CA. This way, they are able to determine whether the public key of the sender is truly valid. This allows the recipient to verify the authenticity of the message that has been signed using the sender’s private key. The CA operates as a neutral third party in this procedure.

The two major weaknesses with a signature/encryption procedure using a PKI are attacks on the private key or the CA itself. If the private key is stolen, a thief can theoretically decrypt all the victim’s messages and also sign their own messages with the stolen key. If the CA itself is attacked, the implications are far more serious. In 2011, an attacker for instance was able to hack a CA and issue new certificates for domains such as mail.google.com and login.yahoo.com.

From our series
»Blockchain — compliance in the business cloud«
Entry 5/7