A secure electronic signature or “digital signature” is a cryptographically based electronic signature Digital signatures are equivalent to traditional handwritten signatures in many respects; properly implemented digital signatures are more difficult to forge than the handwritten type. Digital signature schemes in the sense used here are cryptographically based, and must be implemented properly to be effective. Digital signatures can also provide non-repudiation, meaning that the signer cannot successfully claim they did not sign a message, while also claiming their private key remains secret; further, some non-repudiation schemes offer a time stamp for the digital signature, so that even if the private key is exposed, the signature is valid nonetheless. Digital signature complies with advanced electronic signature defined by European law (eIDAS).
An advanced electronic signature shall meet the following requirements:
(a) it is uniquely linked to the signatory;
(b) it is capable of identifying the signatory;
(c) it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and
(d) it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
eIDAS says : Legal effects of electronic signatures
1. An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.
2. A qualified electronic signature shall have the equivalent legal effect of a handwritten signature.
3. A qualified electronic signature based on a qualified certificate issued in one Member State shall be recognised as a qualified electronic signature in all other Member States.
Digital Certificates are the electronic counterparts to identity, passports and membership cards. You can present a Digital Certificate electronically to prove your identity or your right to access information or services online.
Digital Certificates, also known as electronic certificates or digital IDs, bind an identity to a pair of electronic keys that can be used to encrypt and sign digital information. A Digital Certificate makes it possible to verify someone’s claim that they have the right to use a given key, helping to prevent people from using phony keys to impersonate other users. Used in conjunction with encryption, Digital Certificates provide a more complete security solution, assuring the identity of all parties involved in a transaction.
A Digital Certificate is mainly issued and digitally protected (signed) by a Certification Service Provider (CSP). Technically speaking a user can issue a self-signed certificate with appropriate software. In this case the user identity cannot be proved by a third party.
A Digital Certificate typically contains the:
- Owner’s public key
- Owner’s name
- Expiration date of the public key
- Name of the issuer (the CA that issued the Digital Certificate
- Serial number of the Digital Certificate
- Digital signature of the issuer
- The most widely accepted format for Digital Certificates is defined by the CCITT X.509 international standard; thus certificates can be read or written by any application complying with X.509.
Almetis through its Almetis Essential software, Almetis SignCenter and Almetis Executive, has choosen the digital signature standard PAdES. We aim at facilitating the use of electronic signatures, and so we decided to promote the simplest way to electronically sign documents. This gave birth to the concept of WIPIWYS *.
*What Is Presented Is What You Sign!
The first step of signing is to create a “fingerprint” of the document. At the time of signature, a hash algorithm, MD5 or SHA type, produces a unique “fingerprint” of the document. When something changes in the document (even a pixel or a comma) this algorithm is able to create a new unique fingerprint which differs from the initial one. The comparison of the two fingerprints is used to verify the integrity of the document. In addition and sometimes mandatory, the signature must be used with a time stamp in orderto certify the date and time of the signature by a trusted source other than the local time on your computer . Technically the timestamp, integrated in the document, is a signature created by a time server.
The second step is to bind the fingerprint of the document to the signatory by using the signer’s cryptographic private key generated before or during signature creation. In most cases, the signature software incorporates into the document all the data which is needed for long-term validation of the electronic signature.
The validity of an electronically signed document is checked by a software or by a computer application that supports signature verification following steps:
The first step is to decipher the fingerprint of the document with the signer’s public key. The public key is attached to a digital certificate for the identification of the signatory.
The second step is to calculate the fingerprint of the signed document, and compare it with the fingerprint decrypted in the first step. If the two fingerprints are identical, then the signed document has not been altered, and so its integrity was preserved. If the fingerprints do not match, at least one change was made on the document after its signing.