What is the Difference Between an eSignature and a Digital Signature?

While the terms “digital signature” and “electronic signature” are often used interchangeably, there are in fact differences. Electronic signatures, or eSignatures, are the electronic equivalent of a handwritten signature. Digital signatures are as well, but with added authentication layers that ensure the highest levels of security and legality. In this article, we will explore the definitions of each, and explain what characterizes eSignatures and digital signatures.

What is an example of an electronic signature?

Simply put, an electronic signature shows the signer’s agreement with the contents of a document, form, or request. Some examples include a name typed at the end of an email or document, a picture of a wet signature sent via tax, a signature made by finger swipe on an internet-connected device (e.g., smartphone, tablet, a PIN entered into a bank’s ATM, and ticking the “agree” or “disagree” box in an electronic terms & conditions form.

What is a digital signature and how does it work?

A digital signature is a mathematical way of verifying the authenticity of digital documents to prevent forgery and tampering during the sending and receiving process. Here are the three main purposes of a digital signature:

1. Authentication: A digital signature proves to the recipient that the document was in fact signed by the person who claimed to sign it.
2. Nonrepudiation: A digital signature ensures the sender cannot deny having sent the message at some future time.
3. Integrity: A digital signature guarantees that the document or signature was not modified in transit.

Digital signatures are frequently used between businesses, between businesses and their customers, or between two individuals. They are popular across a wide number of industries due to their legal status and ability to prevent tampering and forgery. Underlying the seemingly simple interface of a digital signature is the complex technology that goes into creating asymmetric cryptography. It protects sensitive information with two mathematically linked keys: a private key, which is only known to the person it belongs to, and a public key, which is shared with anyone who needs to access the digital document. When the recipient gets the document, first they will decrypt the digital signature using the signer’s public key. If the recipient is unable to decrypt the digital signature, it’s a sign that it did not actually come from the intended signer. That’s because only the intended signer’s key is able to decrypt the digest. The second thing the recipient of the document will do is check the document’s integrity. They will hash the document with the same hash formula the sender used. If they are the same, the receiver can be assured that the document has not been tampered with since the sender signed it. If the digest is not equal, the receiver is clued in that it was altered in transit. It’s important to note that simply using digital signatures does not encrypt the document itself. It isn’t enough to just use a plain text document. To encrypt the document, it’s necessary for the sender to use the receiver’s public key.

The key to this equation: Certification Authorities (CAs)

Of course, anyone else could have been pretending to have been the intended signer from the start. A criminal could create a fake document, hash it with the correct hash, and generate an asymmetric pair of keys using their computer. So how can the recipient be sure that they’re communicating with the intended signer? That’s where digital certificates come in. For a fee, the signer can apply for a digital certificate to a well-known, trusted organization called a Certification Authority. CAs include companies like Verisign, GlobalSign, and Symantec, though there are many others. The public key that’s generated is sent to the CA, along with various details about himself. The CA carefully checks that the signer is who he claims he is. Then, the CA sends the signer a special type of file called a digital certificate. This contains details about the signer, along with information about the CA and an expiry date. Bound to this digital certificate is the signer’s public key. The signer still has the corresponding private key, which never left his computer. Now when the signer sends a signed document to the recipient, he can also send a copy of the full certificate. This means that when the receiver wants to decrypt something, she can inspect this certificate first. If she trusts it, she can use the public key that is being guaranteed by the CA to belong to the signer. Essentially, the CA vouches for the signer.

Are all digital signatures the same?

Just as digital signatures are distinguished from electronic signatures in terms of compliance and legal strength, there is also variation within the category of digital signatures, each of which provides a different degree of legality. Class 1 signatures: Provide basic security for low-risk environments; not legally binding for business documents. Class 2 signatures: Authenticate a signer's identity against a pre-verified database. Used in moderate-risk environments, such as e-filing text documents. Class 3 signatures: Require a person to present in front of a certifying authority to prove identity before signing. This is reserved for e-ticketing, e-tendering, and court filings where a breach results in major consequences.

The bottom line

When selecting an eSignature solution, it’s important to understand whether a simple electronic signature is sufficient, or if a more secure digital signature is required. If it’s the latter, be sure to look into the robustness of its authentication mechanism if the utmost in legality and compliance is desired.