We value your privacy

We use cookies to enhance your browsing experience and analyze traffic anonymously for internal statistical purposes. By clicking “Accept all,” you consent to the use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site.... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

  • Cookie
    cookieyes-consent
  • Duration
    1 year
  • Description

    CookieYes sets this cookie to remember users' consent preferences so that their preferences are respected on subsequent visits to this site. It does not collect or store any personal information about site visitors.

  • Cookie
    _GRECAPTCHA
  • Duration
    180 days
  • Description
    This cookie is used by the Google reCAPTCHA service to protect the site from spam and abuse, distinguishing between real users and bots. It performs a risk analysis by collecting information on browsing behavior and device details, such as mouse movements, keystrokes, and technical data.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

  • Cookie
    language
  • Duration
    1 anno
  • Description

    This cookie is used to store the user's language preference.

  • Cookie
    post_viewed_
  • Duration
    1 ora
  • Description

    This cookie prevents a single visit to an article from being counted multiple times when the page is refreshed.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

  • Cookie
    _ga_*
  • Duration
    1 anno 1 mese 4 giorni
  • Description

    Google Analytics sets this cookie to count visitors to the page

  • Cookie
    _ga
  • Duration
    1 anno 1 mese 4 giorni
  • Description

    Google Analytics sets this cookie to calculate visitor, session, and campaign data and track site usage for site analytic reporting. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Guides

Digital signature security risks

What is a digital signature and how to protect it? Discover risks, security measures, and how digital signatures work to ensure document integrity.

Digital signature security risks

26 May 2025

Table of contents

  • What is a digital signature
  • Why digital signatures are used
  • Active security of the digital signature
  • Passive security of the digital signature
  • Risks related to digital signatures
  • How to protect your digital signature

The digital signature is an essential tool to ensure the authenticity and legal validity of digital documents. In this article, we will explain what it is, why it is used, and we will explore the key aspects of digital signature security, both from an active and passive perspective, analyzing risks, protections, and best practices.

What is a digital signature

A digital signature is a cryptographic mechanism that allows you to uniquely associate a digital document with a signer.

Unlike a scanned signature or a simple electronic signature, the digital signature has full legal value and ensures authenticity, integrity, and non-repudiation of the document.

The use of the digital signature is based on a system of cryptographic keys: a private key, securely stored by the signer and used to sign, and a public key, available to anyone who wants to verify the signature’s validity. This system makes it possible to confirm that the document has not been altered and that the signature truly belongs to the owner of the private key.

Why digital signatures are used

The use of digital signatures has progressively expanded worldwide, revolutionizing the way companies, public authorities, and private individuals manage official documents.

This tool addresses the growing need to digitalize administrative and bureaucratic processes, providing a secure and legally recognized alternative to traditional handwritten signatures on paper.

One of the main reasons why the digital signature has become essential is its ability to sign contracts and official documents without the need for physical presence.

In an increasingly digital and remote-working world, the possibility to sign a contract, declaration, or legal document remotely is a major advantage.

This benefit became even more evident during the pandemic, when digital processes enabled many activities to continue without interruption.

Another key factor is the significant reduction of costs and processing times. Eliminating the need for paper and physical handling of documents leads to considerable savings in shipping, archiving, and disposal.

Additionally, the digital signature allows companies and institutions to automate workflows that previously required printing, scanning, and manually sending signed documents — saving time, money, and resources.

Equally important is the role of the digital signature in enhancing cyber security. Unlike a simple scanned signature or an unqualified electronic signature, the digital signature ensures the authenticity of the signer and the integrity of the document.

Once applied, the digital signature makes it impossible to modify the content without invalidating the signature itself, thus drastically reducing the risk of forgery, tampering, or fraudulent use.

The adoption of the digital signature is particularly crucial in legal, fiscal, and administrative contexts, where the certainty of the signer’s identity and the legal validity of the documents are essential requirements.

Legal professionals, public administrations, and businesses use it daily to sign contracts, tax returns, official communications, financial statements, and many other documents.

In the private sector, the digital signature is also becoming increasingly common. Companies use it to simplify and speed up commercial transactions, formalize agreements with partners and suppliers, sign orders and quotes, and efficiently manage internal processes, such as employee onboarding or contractual relationships with clients and collaborators.

Finally, the growing focus on environmental sustainability provides an additional incentive to adopt digital signatures. By eliminating the use of paper and reducing the need for physical travel to sign documents, digital signatures contribute to lowering the environmental impact of bureaucratic and administrative processes.

In summary, the digital signature is a tool that responds to the modern digital society’s needs for efficiency, security, legality, and sustainability.

Active security of the digital signature

When we talk about active security in relation to the digital signature, we are referring to all the technical and organizational measures implemented to prevent the signature from being misused, forged, or compromised by unauthorized individuals. In other words, active security concerns everything related to protecting the private key and the devices used to apply the signature, making sure that no one can access them without permission.

A fundamental element of active security is the safe storage of the private key. The private key is the most sensitive part of the digital signature system because it is what actually enables a person to sign documents. To prevent it from being stolen or duplicated, the key is usually stored on physical devices such as a smart card or a USB token, both protected by a personal PIN code.

Example
A lawyer or an accountant who uses a digital signature daily will typically keep their smart card in a secure reader connected to their computer and will never share the PIN with anyone.

Another key security layer is the implementation of multi-factor authentication (MFA). In addition to possessing the physical device and knowing the PIN, access to the digital signature may require an additional temporary code sent via SMS or generated by an authentication app.

This means that even if an attacker obtains the device and the PIN, they would still not be able to use the signature without the second authentication factor.

Active security also relies heavily on the use of strong encryption algorithms that are regularly updated to meet evolving security standards. The most widely used algorithms for digital signatures, such as RSA or ECDSA, ensure that each signature is mathematically unique and cannot be forged without the private key.

However, it is crucial that these algorithms are not outdated and that the key length is adequate.

Example
Certification authorities commonly recommend RSA keys of at least 2048 bits to ensure robust protection.

Another critical aspect of active security is the ability to revoke a digital certificate in the event of suspected compromise.

Example
An employee loses their USB token or believes that someone has gained access to their private key, it is necessary to immediately request the revocation of the certificate through the certifying authority. This action invalidates the associated digital signature, preventing any further unauthorized use.

Importantly, active security is not just about technology. It also depends on the awareness of the user. Even the most secure devices become vulnerable if handled carelessly.

For this reason, it is essential that users receive proper training and are educated on best security practices, such as not leaving their USB token unattended, not sharing their PIN, avoiding the use of digital signatures on unprotected or public computers, and being alert to phishing attempts.

Practical example
Can be seen in companies that provide their managers with digital signature devices to sign business contracts. In addition to providing the technical equipment, the company organizes training sessions to explain the risks associated with misuse of the signature and the procedures to follow in case of suspected compromise. This integrated approach—combining technology and user awareness—is what makes active security truly effective.

Passive security of the digital signature

The concept of passive security in the context of digital signatures refers to all the verification and control activities that can be carried out after a signature has been applied to a document. The goal is to ensure that the signature is valid, authentic, and that the document has not been altered in any way.

While active security focuses on preventing unauthorized access and improper use before the signature is applied, passive security is what allows the recipient of the signed document to confirm its validity and authenticity.

One of the key elements of passive security is the verification of the document’s integrity. When a digital signature is applied, the content of the document is “sealed” through a mathematical process. Any attempt to modify the content after the signature—whether it’s a change to a single letter, number, or punctuation mark—will render the signature invalid.

Example
If a digitally signed contract is opened and someone tries to alter a figure or a clause, any verification tool will immediately flag the signature as invalid, protecting both parties from fraud or manipulation.

Another crucial aspect of passive security is checking the Certificate Revocation Lists (CRL). Every digital certificate has a validity period and may be revoked at any time in case of theft, loss, compromise, or termination of the relationship with the certifying authority.

Therefore, before accepting a digital signature as valid, it is essential to verify that the certificate has not been revoked. This can be done through official online portals or specific software designed for digital signature verification.

A further layer of passive security is provided by the timestamping service. This service associates a legally valid date and time to the signed document, issued by a trusted third party.

This process ensures that the signature was applied at a specific point in time, independently of the date settings on the signer’s device.

Example
In the banking or notarial sectors, timestamping is often required to guarantee the temporal validity of signed documents, especially when they are subject to legal deadlines.

Another critical verification step is the analysis of the digital certificate attached to the signature. This certificate contains essential information such as the name of the holder, the certifying authority that issued it, the date of issuance and expiration, and its validity status. By checking this information, the recipient can confirm that the signature was truly applied by the declared signer and that the certificate was still valid at the time of verification.

Practical example
A company receives a digitally signed document from a supplier to formalize a business agreement. Before accepting the document, the company’s legal department conducts a passive verification process, checking the integrity of the file, the validity of the certificate, and consulting the CRL to ensure that the certificate has not been revoked. Only after completing these steps does the company consider the document valid.

Passive security plays a crucial role because it enables the recipient of a digitally signed document to be sure that the content is authentic, that the signature was applied by the rightful signer, and that the certificate has not been compromised.

Neglecting these checks could expose individuals, companies, and public institutions to risks of fraud, tampering, or legal disputes.

Cryptographic keys

Risks related to digital signatures

Although digital signatures provide a high level of security thanks to advanced cryptographic systems and strict authentication protocols, they are not entirely immune to risks.

Cyberattacks, user negligence, and systemic vulnerabilities can compromise the effectiveness and reliability of a digital signature, putting at risk the confidentiality and integrity of digitally signed documents.

One of the most common risks is the theft of the private key, which is the most sensitive component of the entire system.

The private key can be stolen through malware, phishing attacks, or simply by unauthorized physical access to the device that stores it, such as a smart card or USB token.

Example
An employee might receive an email that appears to come from the company’s IT department, asking them to enter their credentials or the PIN of their device. If the employee falls for the trap, the attacker could gain access to the private key and sign documents in their name without authorization.

Another risk scenario involves the improper use of the digital signature by authorized individuals who are not legally entitled to sign certain documents.

For example, an assistant who knows the PIN of a manager’s digital token might use it to sign a contract or official document without formal approval. This type of misuse is difficult to detect immediately and can lead to serious legal consequences.

A broader structural risk is the potential compromise of digital certificates due to cyberattacks on certifying authorities. Certification Authorities (CAs), which issue digital certificates, are high-value targets for hackers. If a successful attack occurs, it could allow attackers to create fraudulent certificates that appear authentic.

Although such incidents are rare and CAs implement very strict security measures, the risk cannot be entirely ruled out.

Example
There have been cases in recent years where databases of certificates were breached and fake certificates were distributed, undermining the trust in the digital signature ecosystem.

Finally, a significant non-technical risk is the lack of user awareness. Too often, individuals who use digital signatures underestimate the importance of protecting their private key and signing device.

Example
Many users leave their USB token plugged into their computer unattended, write down their PIN in an accessible location, or neglect software and security updates. This behavior increases the risk of theft, unauthorized access, and misuse of the signature.

Practical example
Of this negligence can often be found in small businesses or professional offices, where the signing device is left on a desk or in an unlocked drawer and where multiple people know the PIN for the sake of “convenience,” without realizing that such behavior exposes the organization to considerable legal and cyber security risks.

How to protect your digital signature

To protect your digital signature, it is essential to adopt good security practices:

  • Always use secure and updated devices.
  • Never share your private key or PIN with anyone.
  • Regularly change your access credentials.
  • Always verify the identity of the counterpart and the documents you sign.
  • Immediately request certificate revocation in case of suspected theft or compromise.

The security of the digital signature depends both on the technology and on the user’s behavior.

Questions and answers

  1. What is a digital signature?
    It is a cryptographic system that ensures the authenticity, integrity, and legal value of a digital document.
  2. What is the difference between an electronic signature and a digital signature?
    The digital signature has certified legal value and uses cryptographic keys.
  3. Is the digital signature secure?
    Yes, if active and passive security measures are correctly applied.
  4. What happens if I lose my private key?
    You must immediately revoke your certificate and request a new one.
  5. Can I use my digital signature on any document?
    Yes, as long as the document is digital and complies with required standards.
  6. How do I verify if a digital signature is valid?
    By using verification software or platforms that check the certificate and document integrity.
  7. What does active security of a digital signature mean?
    The set of measures to protect access to the private key and signing tools.
  8. What does passive security of a digital signature mean?
    The verification procedures to check the validity and integrity of an already applied signature.
  9. What should I do if my digital signature is compromised?
    Block its use immediately and contact the certifying authority to revoke the certificate.
  10. Can a digital signature be forged?
    It is extremely difficult, but possible if the private key is not adequately protected.
5
To top