What is signature verification? How does it work?

When you receive a signed electronic document, the certificate accompanying the signature identifies who signed. But why should anyone trust what the certificate says? Signature verification provides this assurance.

signature verificationSIGNiX uses a sophisticated digital signature algorithm called DSA, which verifies the signature without allowing decryption of the original hash. DSA signatures don’t reveal the hash of the original document if the new hash doesn’t match. SIGNiX’s signatures can be verified using free PDF viewing software like Adobe Reader.

Successful verification proves that the document has not changed since signing—if the document had changed, then the new hash would not match the one in the signature. If the signature itself had been changed, it again would not produce a matching hash. Successful verification also shows that the public key in the certificate is correct, since an incorrect public key would not cause the digital signature to produce a matching hash.

To verify that the person identified in the certificate is the owner of the public key, verification software must check the integrity of the signer’s certificate. There are a couple questions that must be answered to verify a certificate: 

  • Is the certificate unaltered since being issued?
  • Is the issuer trustworthy?  

A certificate is an electronic record with its own digital signature. The Certification Authority (CA) signs each certificate when it issues the certificate. The verifier confirms the validity of the certificate by verifying this signature. To do this verification, the verifier uses the public key from a certificate belonging to the issuing CA.

The verification process is then repeated on the issuer’s certificate and again on any certificates above it. If this chain eventually leads to a “trusted root” certificate trusted by the verification software, then the verifier considers the signer identification in the original certificate to be valid.

The verifier must also check that the signature was created at a time when all of the certificates in the verification chain were within their valid usage period and none of them had been revoked.

For SIGNiX signatures, the signing time is indicated by a reliable timestamp placed on the signature by a Timestamp Authority immediately after the signature was created.