In today’s evolving world, going paperless with digital signatures is the way forward. What’s more, they are more secure than ever. Here’s everything you need to know about digital signatures and how they relate to electronic signatures.
# 1. So, what is a digital signature?
A digital signature is a specific technical implementation of an electronic signature (eSignature). Instead of using pen and paper, a digital signature uses mathematical algorithms and encryption techniques to sign and validate the authenticity of a document, file or software. It is an innovative and secure solution to ensure that the identity of the signer and the contents of a document are valid.
A digital signature contains information about who signed a document and what the document looked like when they signed it. As a result, the digital signature ensures:
- Origin: Who added the signature
- Time: The time the document was signed
- Integrity: That the document has not been changed. This also includes the origin and time.
- Non-repudiation: All the above means that the sender cannot deny having signed it.
In a way, a digital signature works exactly as an envelope seal does, but better. Imagine you want to send a document that was signed physically, from one country to another. You would need to post the document or send via courier, which naturally can be time consuming and involve a lot of paperwork. With a digital signature, the document can be sent electronically in an instant, saving time and money.
# 2. Why use a digital signature?
There are a variety of reasons to use a digital signature. For starters, a digital signature has the benefit of being less time-consuming, as it can speed up the signing process and avoid disrupting the signing flow, thereby increasing conversion rates. It is easier for the signer to sign – it's even possible to digitally sign PDF documents – and can additionally save financially in terms of both paper and management costs.
The benefits to business also include broader geographic reach in attaining customers, plus it is secure. In a day and age when incidents of data tampering and forgery are growing increasingly widespread, it is essential to protect any data sent online. A digital signature has the ability to validate the authenticity of an electronic document, file or message in digital communication.
Digital signatures can be used in any situation in which you want assurance about the identity of a signer and the integrity of a document. Many industries also use digital signature technology to streamline processes. Digital signatures are used, for example, in healthcare to improve the efficiency of treatment and administrative processes. They are used by governments worldwide for many uses including processing tax returns, managing contracts for security personnel, and other documents between government agencies and the public. In the financial sector, banks use digital signatures for contracts, paperless banking, mortgages, loan processing, and more. Digital signatures are also commonly used in e-commerce, software distribution, in fields such as manufacturing, and many other situations that rely on forgery or tampering detection techniques.
# 3. Are a digital signature and an electronic signature the same thing?
Digital signatures and electronic signatures are terms that can often be used interchangeably, and there is a lot of confusion around this. However, there is a difference between the two.
A digital signature is a specific technical implementation of an electronic signature (eSignature) or an electronic seal (eSeal). An electronic signature is comparable to a handwritten signature, and like its paper equivalent, is a legal concept and is signed by a human being. An eSeal, on the other hand, is signed by a legal organisation, for example a university sending out diplomas. Both prove origin, integrity, time, and non-repudiation. They allow legal entities to protect authenticity of electronic documents and data. Both are incorporated into eIDAS (Electronic Identification, Authentication and Trust Services), the EU regulation (910/2014) on electronic identification and trust services for electronic transactions in the European Single Market. It captures a person’s intent to sign a document.
A digital signature, on the other hand, is more than a scribble on a screen. It is a practical implementation and refers to the encryption/decryption technology on which an electronic solution is built. The digital signature encryption ensures that the data which is associated with the signed document is secure and is used to verify the identity of the originator and the integrity of the document.
Electronic signatures contain little or no evidence of the signer’s identity. So, when looking for a signature solution, it is important to ensure that this is based on digital signatures, and also that the identity of the signer can be verified.
With most signatures, the identity of the signer is important. Signicat Sign has unique and secure features, and can use different methods for identifying the signer, such as electronic identity (eID) and digital verification of paper ID, along with other technologies including facial recognition. eID has the power to be a more convenient and secure form of identification when compared to traditional ID alternatives, such as proof of address documentation. In countries where eIDs, (e.g. BankID, NemID, iDIN) are widespread, this can be used and makes it a very simple process for the user, as they will be reusing something they are familiar with. If no eID is available, the user will have to verify their identity by other means, such as uploading an ID paper. Signing opens a whole new ocean of opportunities, when you can electronically sign documents that previously required that you meet face-to-face and show your passport or other form of ID.
While the end user can identify themselves by uploading an ID paper, a digital signature is authorised by a trusted third-party and regulated by a Certification Authority (CA) that is responsible for providing certificate-based digital IDs that can be compared to trustworthy authentication documents such as passports or licenses. A trusted party is needed to ensure that the processing will be compliant with regulations. It is important to ensure that your electronic signatures are provided by a trust service provider, to ensure that they are legally binding, and to avoid putting you and your organisation at risk in the event of a compliance or legal case.
Signicat has been granted the status of a Qualified Trust Service Provider (QTSP).
# 4. Is an electronic signature legally binding?
A digital signature is legally binding, but this may depend on the jurisdiction. As long as certain requirements on the type of signature (for example, some regulations may require that the signature is a Qualified Electronic signature, which offers the highest level of security/trust/assurance for electronic signatures) and Government legislation are met, digital signatures have the same legal effect and weight as their written equivalents with ink and paper. Most countries have adopted legislation modelled after the United States, and European countries follow the eIDAS regulation. Many companies have also complied to digital signature technology regulations established by their specific industry, for example, Life Sciences and the finance sector.
# 5. How exactly does the digital signature process work?
Digital signatures use mathematical algorithms to sign and validate the authenticity of documents. To get a little more technical, digital signature providers are based on PKI (Public Key Infrastructure). PKI is the framework of encryption and cybersecurity that protects communications between the server (your website) and your client.
Typically, the PKI provides users with two keys, public and private. When an individual digitally signs a document, the signature is created using the signer’s private key, to encrypt signature-related data. The only way to decrypt this data is with the signer’s public key, and this is how digital signatures are authenticated.
However, people forget and lose things – including passwords – and there is always a need for a recovery mechanism. This is why eIDs are so unique; there is no need for users to remember keypairs. Signicat is using authenticated signatures, where the user can authenticate by any means. Signicat then adds a seal, using the Signicat private key.
The eIDs in the Nordics (BankdID, for example) uses keypairs, but this is not visible to the user. And the user can always get back to the issuer, in case of a forgotten password and a lost device. And any means of identifying who you are can be used for signing. For example, doing a BankID authentication, uploading an ID paper, or even providing a one-time code provided by SMS (as proof of access to your phone, in a low-risk scenario).
To create a digital signature, signing software creates a one-way hash of the electronic data to be signed. A one-way hash function transforms input messages of various length into a usually shorter fixed-length value. The private key is then used to encrypt the hash. The encrypted hash is the digital signature.
The value of a hash is unique to the hashed data. If any part of the hashed data is changed, even a single character, this will result in a different value. This attribute enables others to validate the integrity of the data by using the signer’s public key to decrypt the hash.
If the decrypted hash matches a second computed hash of the same data, it proves that the data hasn’t changed since it was signed. If the two hashes don’t match, the data has either been tampered with in some way, or the signature was created with a private key that doesn’t correspond to the public key presented by the signer. If the document changes after signing, the digital signature is invalidated.
To share an example of the above explanation, let’s say that Kevin signs a financial contract using his private key and the bank receives the document. The bank receiving the document also receives a copy of Kevin’s public key. If the public key cannot decrypt Kevin’s signature (via the cipher from which the keys were created), it means the signature isn’t actually Kevin’s, or the signature has been changed since it was signed. The signature is then considered invalid.
Digital signature solution providers like Signicat Sign meet PKI requirements for secure digital signing. These requirements are that keys should be created, conducted, and saved in a secure manner, and appoints the services of a reliable Certificate Authority (CA).
# 6. How does my organisation get started with using electronic signatures?
When it comes to digital signatures, there are a variety of options to choose from, depending on what aspects of the digital signature you require. There are basic free apps, subscription services offering premium features, and cloud-based solutions for on-the-go signing. However, most of these solutions (even the highly profiled ones) have poor user authentication,and the confidence in the identity of the signer is in many cases very low.
When you establish a business relationship with a signing provider, you will be issued certificates that prove the identity of your organisation when creating signing requests. In order to create a digital signature on a document, a signature request needs to be created. A signature request is when you prepare a document, send it out for someone to sign, and receive it back. You will receive status updates of the request and receive another update when the signing is complete. You can then download the signed document.
When the end user digitally signs a document, using an eID, the evidence that the end user has authenticated using the given eID is stored within the document. This is then sealed using the Signicat private key and is marked with the time the document was signed (called timestamping – see below). If the document is changed (e.g. as a fraud attempt) after signing, the digital signature is invalidated, and this will be flagged when viewing the document.
# 7. Does a digital signature ensure long-term availability of validation data?
To validate a signed document, you will need information from the certificate authorities (CA) that all certificates used are valid. A CA maintains a revocation list of certificates that for any reason are no longer valid, and this list will be checked (for all involved CAs) when validating a signature.
While this usually suffices for short-term usage, when more time that passes between the time of signing and the time of validation, the harder it will be to gain access to reliable certification data. To address this problem, Signicat Sign collects all the validation data and embeds this into the digital signature.
Another challenge is advances in cryptology and technology, which makes it possible to break algorithms and forge data. Any signed or encrypted data will at some time in the future be broken. Therefore, the signed document should be resealed periodically (typically every two to five years) to ensure longevity of the signature. This is known as preservation, which is also covered by eIDAS. Signicat Sign incorporates the proof of validation into the digital signature, ensuring that no matter how much time elapses between the time of signing and the time of validation, validation data will be available and sufficient, as long as the document is periodically preserved.
# 8. What is a timestamp and why is it needed for a digital signature?
Timestamping is another essential factor for long-term validation. In order to ensure that the digital signature is valid, its certificate must be validated against the time it was created. Although this seems straightforward, it would be possible for attackers to steal a private key, forge a signature, and backdate it to a time before they stole the key, making it look like the signature is legitimate.
Finding the current time is very simple (just ask a time server), but trusting a time of a past event is really hard. Signicat is a QTSA (Quality Time Stamping Authority), issuing timestamps that can be trusted. TSA-produced timestamps combine digital signatures and trusted time sources to create cryptographically strong evidence that a given piece of data existed at a given time.
# 9. How does a user verify their identity when signing?
If the signer has an eID, this will simplify the process a lot. Signicat supports a large number of eIDs, such as BankID, NemID, ItsMe, iDIN, Yes, and many more. With the eID, the user’s identity has already been validated, and the user will only have to provide the eID credentials to sign.
If the signer does NOT have an eID, they may provide identity information by uploading ID documents. This is combined by taking a self portrait (with liveness test) to show that the user is actually present, and not somebody else using the user’s ID document. Even more security can be achieved if reading the NFC chip of the ID document.
If the requirements are low, or you are already known by other means, a simple scribble on the screen and SMS OTP (One Time Password) authentication method can be used, where a number or letter code is sent to a mobile for the user to authorise.
Electronic Signing is unique in that it means you don’t need to meet face-to-face to sign a contract or agreement. This naturally saves a lot of time, both for the user and the service provider. The signer is instantly verified and you know the signature is completely authorised. This means you can be certain about who is signing. Therefore your document is not only more secure, but as there is also less concern over repudiation.
# 10. What should I do once my document is digitally signed?
Once the document is signed, it can be delivered instantly. Digital signature encryption automatically ensures that the data which is associated with the signed document is secure. It ensures origin, integrity, and non-repudiation, which means the signer cannot claim they did not sign the document. They have proven they have signed it, their identity has been verified, and now the document is enforceable by law.When the end user digitally signs a document, using an eID, the evidence that the end user has authenticated using the given eID is stored within the document.