Digital Signature
A digital signature is used to sign - with validity applicable under the law - electronic documents. It is required by law in order to have business relationships with Public Administration bodies and the Chambers of Commerce. Generally, a certificate for a Digital Signature differs from that for an electronic signature not for its content, but rather for the basic system infrastructure of the Certification Authority that issued it, the method used to identify the owner (visual recognition), the device used to make the signature, and so on.
The digital signature to be recognized as such, is subject to certain constraints:
- The digital signature must refer unambiguously to a single subject and to the document or set of documents to which it is affixed or with which it is associated.
- The affixing of the digital signature incorporates and replaces the affixing of seals, punches, stamps, marks and trademarks of any kind for all purposes provided for under applicable legislation.
- For the generation of digital signatures a qualified certificate is required whose validity has not expired or has not been revoked or suspended at the time of signing.
- Through the qualified certificate, according to the technical rules established under Article 71, the validity of the certificate, and the particulars of the owner and certifier and any usage limits are to be demonstrated.
The electronic or simple signature is constituted by a set of data in electronic form. These data are attached or connected to each other by their logical association with other electronic data, and are used as the method of computer identification.
The electronic signature does not provide for its implementation, the authentication mechanisms of the signatory or the integrity of the data signed for, and, for this reason, is considered the weakest of signatures.
Technically, a certificate for an electronic signature does not differ from that for a Digital Signature in content, but primarily in that the certificate is saved to the secure signature device upon which the key pair is generated.
The secure devices adopted by CedacriCert include USB tokens and HSMs (Hardware Secure Modules); i.e. physical devices that contain objects (private and public keys, digital certificates) through which cryptographic operations are performed. From these devices it is not possible to extract the private key.
The Digital Signature profiles made available to the CedacriCert Public Key Infrastructure (PKI) are:
- PKCS7
- XML
The processes provided for Signature are:
- Simple signature
- Multiple Signature: Parallel Signature, Countersignature
In order to complete its range of services Cedacri also offers biometric signature services: a solution that enables the collection of biometric signature data via a pad or tablet, capable of recording not only the shapes of the pen strokes made by the client but also their pressure, speed, rhythm, acceleration and aerial movements.
This solution may be used to attach biometric data of the user's signature to the electronic format (pdf) of a document (e.g. a notice of payment) and seal it with the electronic signature of an official (e.g. at a bank).
Application of a biometric signature at a bank counter
The Cedacri solution consists of biometric devices, a software architecture for signature capture and verification that operates both client-side and server-side, and is completed via integration with the applications of the bank.
- The operator initiates the process via the New Branch client. This action generates a call to the application server through the Enterprise Signature Bus which disconnects a session token and retrieves the document from the print repository, obtaining the hash (also called "fingerprint" of the document). The token is used throughout the process to ensure "trust" between client and server;
- It is possible to choose devices that encrypt biometric data directly on the tablet. The tablet, by sending the hash of the document to be signed, permits the association of the biometric data to the document itself, in order to ensure that they can not be fraudulently associated with a document other than that for which the signature shown on the tablet was collected;
- the biometric signature data (the pressure and speed of the pen recorded during the act of signing) are inserted in encrypted form within the structure of the document without making them visible;
- the document at this point is digitally signed. Its integrity can be verified at all times, confirming the validity of digital signature;
- the biometric data have been inserted within the document and permanently linked to it by means of the digital signature.