The digital signature.
eSignature, digital signature, electronic signature: what’s behind it.
The digital signature: concept, function, application
Anyone who signs a document is expressing his or her will. The signature represents the person signing the document. The most important factor here is that the signer must be identifiable and the signature must be unambiguously assigned to him or her. In the case of paper-based signatures, the individual signature, characterized by handwriting, is the essential proof of authenticity. In the case of signatures provided digitally, this proof is provided electronically: Digital signatures allow electronic documents to be signed digitally. Under current law, the digital signature can replace the handwritten signature on an equivalent basis.
Digital signatures and electronic signatures are often used synonymously. Actually, this is not correct. While the electronic signature is a legal term, the digital signature is linked to the process that generates it and should therefore be understood as a technical term. The eIDAS Regulation defines electronic signatures as “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign (definition according to Art. 3 Z 10 eIDAS Regulation).”
The digital signature in its present form is made possible by a cryptographic process developed in the mid-1970s by U.S. computer scientists Whitfield Diffie and Martin Hellman at Stanford. They based their work on that of their colleague Ralph Merkle. The result of this work is the DHM protocol, which describes an asymmetric encryption method and guarantees data integrity and authenticity.
The idea of a double cipher key is central to the innovation of cryptographic techniques since the mid-1970s. The clue of the procedure is the exchange of a private and a public key within a standard Public Key Infrastructure (PKI): Here, each user generates his own key pair, namely a secret (private key) and a non-secret (public key).
In this cryptographic scenario, the communicating parties do not need a shared secret key, as is characteristic of symmetric encryption methods. The public key allows anyone to encrypt data for, verify the digital signatures of, or authenticate the owner of the private key. The private key, in turn, allows its owner to decrypt data encrypted with the public key. He can use it to generate digital signatures and authenticate himself.
The advantages of the asymmetric encryption method lie in their relatively high data security. Fewer keys are required than in a symmetric procedure, which means significantly less effort is required to keep the keys secret. The asymmetric encryption method also fulfills the central requirement for digital signatures: Documents can be uniquely assigned to a person and the content of the document cannot be changed without being noticed. Any deviation, any subsequent change, invalidates the applied digital signature and fundamentally devalues the document.
How the digital signature works
A unique, non-manipulable hash value is generated from the message or document to be signed. The sender/signer encrypts this value with his private key and adds his signature to the message. The recipient then decrypts the signature generated in this way using the signer’s public key. It compares the hash value received with the value calculated from the message itself. Only if these match the digital signature is valid. Which means that the authenticity of the sender and the integrity of the message are secured by digital signatures.
A simple practical example illustrates this concept: A company signs a delivery order digitally with its private key. The supplier receives a copy of the public key along with the document. If the supplier is then unable to decrypt the document, this is proof that it is not the customer’s signature and that the document has been altered. The digital signature becomes invalid and the transaction is delayed.
In order to create a digital signature, a certificate is always required, i.e., an electronic credential that links the identity of a specific person with a public key. Certificates are generated by a secure signature creation entity. Certificates differ in terms of different legal requirements, the security level of the issuing process, and the trustworthiness of the issuer, the trust service provider, also known as the certification authority.
The eIDAS Regulation therefore formulates a precise catalog of requirements for Trust Service Providers in Chapter III. They ensure digital identity and are responsible for digital certificates and signatures. Only Trust Service Providers that meet the requirements listed from Article 13 onwards are considered qualified. Qualified, and thus state-recognized Trust Centers are, for example, A-Trust, D-Trust or Swisscom Trust Services.
Different signature types
Digital signatures are differentiated into different security levels by the requirements precisely formulated in the eIDAS Regulation for the respective certificates and the certification authority issuing them.
Standard electronic signature
The simplest form of a digital signature is described by lawmakers as “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.” In concrete terms, this means that, for example, even a document signed by hand, scanned and thus digitized, has a simple electronic signature. This is because it is the electronic equivalent of a handwritten signature, with which the signatory expresses his or her agreement with the contents of the document in question. This form of electronic signature has a low level of security.
Advanced electronic signature
The requirements for the advanced electronic signature, as described in Article 26 of the eIDAS Regulation, go beyond this. This substantial form of electronic signature is uniquely associated with a signatory, because it ensures that the signatory can be identified. At the same time, it must be ensured that the content of a signed document cannot be subsequently changed without this becoming immediately apparent, which would render the document invalid. In summary, the advanced electronic signature both ensures the integrity of the document and proves the authenticity of the signatory beyond doubt.
Qualified electronic signature
The qualified electronic signature is the highest form of a digital signature. It has the highest legally binding value and is 100 percent equivalent to the handwritten signature in all EU member states. In Article 3, eIDAS defines a qualified electronic signature as “an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures.” Specifically required are:
1. the existence of a digital identity, such as can be obtained in various identification procedures by private-sector and government providers.
2. a qualified certificate from a state-approved Trust Service Provider, a so-called Trust Center, gives the signed document its unique legal status.
Use of digital signatures
The range of usage of digital signatures is broad and can be found in practically all fields of society. Companies use digital signatures for internal and external signature processes. These processes are called “without cross-media conversion” since, in contrast to analog signature processes, they do not require paper, scanners or printers. The process can be completely digitized using the digital signature.
A widespread application of the digital signature is simple approvals in business processes. A simple electronic signature is often sufficient for this purpose.On the other hand, employment contracts, orders, and generally everything that has a high legal value in case of doubt is signed digitally with a qualified certificate. Signatures generated in this way stand up to legal scrutiny worldwide, as they are equivalent to handwritten signatures in all respects.
The range of applications for digital signatures also includes private, public and business spaces. These can be divided into private, business and official.
Private and business use of digital signatures
1. business to business (B2B) – legal communication between companies
2. customer to customer (C2C) – legal communication between citizens
3. business to customer (B2C) – legal communication between companies and citizens
Digital signatures in eGovernment
1. administration to business (A2B) – communication between administration and business
2. administration to citizen (A2C) – communication between administration and citizens
3. administration to administration (A2A) – communication between public authorities