A secure esigning solution leverages both e-signature and digital signature technology
Electronic signature and digital signature technology are not one in the same, but rather work hand-in-hand.
Westlake Village, CA (PRWEB) April 02, 2014
SOFTPRO published today an explanation of the terms, "electronic signatures" and "digital signatures", thereby alleviating the misunderstanding that they are synonymous. The company's Chief Technology Office (CTO) offers a clear explanation to differentiate these two terms that are often used incorrectly.
"Electronic signature and digital signature technology are not one in the same, but rather work hand-in-hand," explains Alain Sarraf, SOFTPRO's CTO.
An electronic signature is the electronic representation of the signer's intent to sign. A digital signature, on the other hand, is a mechanism to secure electronic data. A good electronic signature is thus secured and therefore made trustworthy using a digital signature.
A ‘digital signature’ is the result of a purely cryptographic process that is intended to help the receiver, of any digital entity, identify whether or not it has been tampered with. In other words, a ‘digital signature’ is used to secure anything digital such as a document, or a piece of software, and provides the means for establishing whether or not the originator is who they say they are.
A digital signature can answer the question: “Is this really the version of the document you sent me?”. An ‘electronic signature’, on the other hand, is a digital representation of a person’s intent to authorize a transaction and is ideally embedded in a document and secured by a ‘digital signature’ as defined above. It can be used to answer the question: “Did you really want to go through with this contract?”.
The signer's intent to authorize a transaction with an electronic signature (i.e. the data representing the signer's authorization) can take many forms such as a handwritten, biometric signature captured on a mobile device, clicking “I Agree”, or even a recording of the signer saying ‘yes’ during a recorded transaction.
The two technologies, present in an electronic signature, work together, and in fact combining them can provide a powerful method for proving intent in a contractual process. Using both enables to prove, with a very high degree of certainty, that the person’s signature was really placed in a document by them. This concept is often referred to as non-repudiation because it is very difficult for a signer to refute the fact that it is their signature in the document, and very easy to prove that the document is original and unmodified.
So far so good? Let’s look at a typical electronic signing process and identify what technology comes into play.
Step 1) Electronically Signing a Document: The user electronically signs a document (e.g. PDF) using a handwritten signature, captured on a signature pad, tablet or smartphone, or by clicking an “I Agree” button. In the case of a handwritten signature, the esigning software captures the signature graphics (what the signature looks like), as well as the signer’s biometric information i.e. data related to how the person signs.
Any additional information that could be used to identify the signer can also be incorporated as part of the electronic signature data. This could be any digital information specific to the signer (or the signing process) such as the IP address of the computer, the date and time stamp when they signed, or any other user registration information such as a user name.
To complete the process, an integrity hash ” (a long string of data) is calculated over the document using standard hashing algorithms. What this means is that a bit string is calculated using the contents of the document as an input. This is useful because the algorithm will always generate the same hash when given the same input. So, if a document is changed, the new version of the document will generate a different bit string and therefore indicate that the document has been tampered with. We’ll see in Step 3 below why this is important.
Step 2) Digitally Signing a Document:
Now that we’ve captured the data for the electronic signature, it’s time to do the following: place the electronic signature in the document, make sure that no one can tamper with it, and also make sure that anyone who receives it knows that it really originated from whom they think it did. We can do this using a digital signature. Digital signatures use private and public key pairs (PKI) to encrypt and decrypt the electronic signature data respectively. The private key is secret and is used where the digital “signing” and encryption of the hash actually takes place, while the public key travels with the document to help a receiver decrypt it. So when receiving such a document, how can an individual be sure that the public key hasn’t been tampered with and that it really came from the claimed sender?
The public key will be bound to the document within a so-called digital certificate that essentially contains information in addition to the public key such as who the sender is, how long the certificate is valid for, a serial number and much more information describing the owner of the certificate. This information can be used to query a third party certificate authority to identify whether or not the public key came from the person it claims to have came from. So now we know that the public key must be valid and the organization can use this key to ascertain whether or not the document received has been tampered with or not.
Step 3) Validating the Signature
When a document is digitally signed, the private key is used to encrypt the document hash discussed above. The encrypted hash, and the digital certificate, which contains the required public key to decrypt the hash, becomes part of the document essentially enabling the document's integrity to be validated at any time.
The simplest way to validate a document’s integrity using the digital signature is to load it into any PDF Reader that supports digital signatures! The PDF Reader will calculate the hash value of the document and compare it to the original one we calculated in Step 1, and further secured in Step 2.
If the hash matches the original one, the document must be the untampered original since the hashing algorithm will always calculate the same hash given a specific input document. In the end, this indicates that the electronic signature (the digital data representing the signer's intent) is valid. If not, the digital signature will be marked as invalid.
In conclusion, the concepts of digital signatures and a person’s intent to sign in the form of an electronic signature, are synergistic. Used together, they provide a powerful means of both establishing intent and securing the integrity of a transaction. As a side note, it is possible to sign a document electronically without securing it using digital signatures. This is most easily done by simply placing the electronic signature data in the document e.g. by pasting an image of a signature. However, by doing so, the signed documents will not be tamper-proof and can easily be refuted by the signer. This type of “electronic signing” should not be confused with the electronic signature as described above because of the absence of a digital signature to secure the process.
This all sounds very complicated, but it is actually quite simple in day to day practice. ESignature software, such as SOFTPRO’s SignDoc, provides the ability to securely esign in any environment and on any device, without necessarily understanding what’s happening under the hood, and at the same time ensuring the integrity of your documents.