A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature gives a recipient reason to believe that the message was created by a known sender (authentication), that the sender cannot deny having sent the message (non-repudiation), and that the message was not altered in transit (integrity).
Digital signatures are a standard element of most cryptographic protocol suites, and are commonly used for software distribution, financial transactions, contract management software, and in other cases where it is important to detect forgery or tampering.
Digital signatures are often used to implement electronic signatures, a broader term that refers to any electronic data that carries the intent of a signature, but not all electronic signatures use digital signatures. In some countries, including the United States, Algeria, Turkey, India,Brazil, Indonesia, Mexico, Saudi Arabia, Uruguay, Switzerland and the countries of the European Union, electronic signatures have legal significance.
Digital signatures employ asymmetric cryptography. In many instances they provide a layer of validation and security to messages sent through a non-secure channel: Properly implemented, a digital signature gives the receiver reason to believe the message was sent by the claimed sender. Digital seals and signatures are equivalent to handwritten signatures and stamped seals. Digital signatures are equivalent to traditional handwritten signatures in many respects, but properly implemented digital signatures are more difficult to forge than the handwritten type. Digital signature schemes, in the sense used here, are cryptographically based, and must be implemented properly to be effective. Digital signatures can also provide non-repudiation, meaning that the signer cannot successfully claim they did not sign a message, while also claiming their private keyremains secret. Further, some non-repudiation schemes offer a time stamp for the digital signature, so that even if the private key is exposed, the signature is valid. Digitally signed messages may be anything representable as a bitstring: examples include electronic mail, contracts, or a message sent via some other cryptographic protocol.
Digital Signature Is The First Step To Paperless Office
Nowadays the speed of business connections is increasing rapidly. In order to be in the frontline of the world competition, companies are adopting new technologies such as web conferences, distant work places, internet banking, & usage of electronic documents. Electronic documents are efficient in commercial, cost and environment perspectives. Electronic signature concept is growing in its popularity, the new wave of electronic office concept will flow over the business world very soon. There are strong drives to replace paper-based document circulation with electronic one, replace handwritten signature with electronic one. However, doing business via internet or signing e-documents require more security, trust, traceability and accountability. The new technology of advanced digital signature has created a base for a secured paperless office. Enforceability of electronic documents & digital signatures allows easily exchange legal electronic documents, reduce the process costs & time connecting with mail and printing. Digital signature provides more authenticity in comparison to handwritten signature.
History Of Electronic Signatures
The first idea of using electronic signature backs to 1861 when Morse code was used to send signed agreements by telegraphy. Such agreements were confirmed as enforceable by the New Hampshire Court in 1869.[Howley vs.Whipple 48 N.H.487] :”It makes no difference whether [the telegraph] operator writes the offer or the acceptance in the presence of his principal and by his express direction, with a steel pen an inch long attached to an ordinary penholder, or whether his pen be a copper wire a thousand miles long. In either case the thought is communicated to the paper by the use of the finger resting upon the pen; nor does it make any difference that in one case common record ink is used, while in the other case a more subtle fluid, known as electricity, performs the same office.”
In 1980s many companies start using fax machines for signing time-sensitive agreements. (http://www.isaacbowman.com/the-history-of-electronic-signature-laws) Almost all commercial contracts between distant parties included articles permitted signing documents by fax (and then sending originals by post). But due to technology development and widespread of PC users in 1999-2001 the new era started and many countries enacted several legal acts regarding electronic signatures and documents to provide proper legal framework. In 1999 the European Union adopted EU Directive on Electronic Signatures, in 2000 Bill Clinton signed US ESIGN act, in 2001 Vladimir Putin signed Federal Law “About electronic digital signature” and many other countries has adopted legal acts in this sphere in order to define the liability & validity of electronic signatures and enforce this practice in business world.
Technology Of Digital Signature
What is an electronic signature? First of all, it is a method of electronic document authentication. Electronic signatures have a variety of forms: e.g. a PIN number, ‘I accept’ button used when buying something on-line, signature by digital pen pad device, digital signature, etc. The higher value transactions needs better security and most people who are using electronic signature are confronted with two issues: (1) security (2) admissibility by law. The answer for these two questions is advanced electronic digital signature. It very crucial to distinguish between digital signature & electronic signature. Digital signature is a type of electronic signature which is created with asymmetric codes (also known as asymmetric cryptography or public key system). The digital signature makes a recipient of document to believe that the message was created by a signatory & was not altered in transit. The authenticity is secured by public & private keys. The private key, which is known only to the signatory, and is used to create the digital signature and change the message into encrypted form. The public key is used by a receiving party to verify the digital signature and decrypt the message. To simplify, let’s imagine that there is a window with two locks. One key (public key) allows you to open a window shutter & see what is inside of the house; the other key (private key) allows opening a window and putting anything inside the house.
Digital signature is considered the most secured at the moment, but it can’t guarantee 100% security. The international standard on information security management is ISO/IEC 27001 (http://www.berr.gov.uk/files/file49952.pdf). On one hand digital signature is more secure then handwritten signature, on other hand due to technology progress soon digital signature could become vulnerable to forgery.
In order to increase security digital signature keys are created by Certified Service Providers (CSPs). CSPs issue special certificates to electronic signatures which certifies the admissibility & reliability of the signature. Usually the CPS are fully controlled by the law. A digital signature which is based on a qualified certificate has strong jurisdiction value. (www.securityfocus.com/infocus/1756)
It is affordable for ordinary people with any PC skills to use digital signatures. The client (the owner of the signature) gets the key store device (e.g. flash memory, touch memory, smart card, etc). In order to sign the prepared electronic document, the owner of the signature inserts key store device into computer, clicks a mouse and the preinstalled digital signature program puts signature into document automatically. What is done by the other user, who verifies signature?. The other user’s program decrypts the message & if the program detects that the message signed is the message which was created when the signature was decrypted, the other user with public key will know that the signed data has not been changed.
Many laws were adopted all over the world to facilitate e-commerce, e-government services & use of electronic records and signatures. In many countries electronic signatures are legally binding, but laws concerning electronic signatures are not precise enough leaving space for confusion & misunderstanding. If we take for comparison three legal acts of US, EU and Russia, we will find that the legal acts are different in scale & content.
Despite the fact that many US states has already created their own local laws regarding electronic commerce & signatures or signed UETA (Uniform Electronic Transactions Act) , on June 30, 2000, US Congress enacted the Electronic Signatures in Global and National Commerce Act (“ESIGN”) in order to facilitate the use of electronic records and signatures in national and foreign commerce by ensuring the validity and legal effect of electronic contracts and to develop a nationwide standard while preserving the ability of states to “modify, limit or supersede” ESign through adoption of UETA
The main provision of ESIGN is to ensure that electronic records, signatures, contracts are not denied legally just because they are in electronic format. http://www.pillsburylaw.com/siteFiles/Publications/DFB1675089CB2C799F50BB06E795BCAB.pdf
ESIGN defines electronic signature as “an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.”
In 1999 the European Union issued EU Directive on Electronic Signatures which gives guidelines and creates framework for member states to achieve certain results in electronic signature sphere.
EU Directive on Electronic Signatures describes three types of electronic signatures: weak electronic signature, advanced electronic signature and advanced electronic signature based on qualified certificate (or strong digital signature). A digital signature which is based on a qualified certificate has the strongest jurisdiction value in comparison to weak electronic signature & simple advanced electronic signature.
RF Federal E-Law
The basic legal act on digital signature in Russia is Federal Law “About electronic digital signature” which was embodied on January, 10 2002. The main purpose of creation of this document is to provide basis when the digital electronic signature is considered equal to handwritten signature. The law covers main areas of creation & usage of digital electronic signatures and functioning of certification service providers.
The main legislative acts on digital signature are Federal Law “About electronic digital signature”, Federal law “About information, informatization, and information security”, Federal Law “About personal information” and Civil Code of Russian Federation.
Federal Law “About electronic digital signature” defines electronic digital signature is a requisite of electronic document, which is designed to protect the electronic document from forgery, and created using cryptographic coding of information with private key, which ensures identification of the owner of certified key and makes sure that the information in electronic document was not altered. This law also states that an electronic digital signature (based on asymmetric cryptographic algorithms) in an electronic document has the same effect as an autograph signature on a hard-copy document if the following conditions are met:
- Key certificate, which is related to electronic digital signature, is valid at the moment of checking or at the moment of e-document signing, if the date of signing could be proved.
- the authenticity of the signature is proved
- The electronic digital signature is used according to information included in the certificate of signature key. ( Chapter 2, article 4, clause 1 )
Chapter 3 regulates the activity of Certifying centers, which issue certificates for digital signatures, and relationships between certified center, owner of the digital signature and the government.
There are two main conditions in this law: both private and public keys should be issued by a certified service provider and the owner of the signature is only a natural person. The law provides clear conditions of digital signature usage
The Part One, article 160 of Civil Code of Russian Federation also permits usage of digital signature: “The use of a facsimile copy of a signature by means of mechanical or diverse copying, an electronic digital signature or diverse analog manual signatures, is permitted in cases and in the manner prescribed by law and diverse legal codes in undertaking contracts or agreements among parties.” Federal law “About information, informatization, and information security” confirms that the digital signature is enforceable “The legal force of a document that is stored, processed and transmitted with the help of automated information and telecommunication systems can be confirmed by an electronic digital signature. The legal force of an electronic digital signature is recognized by the presence in an automated intelligent system of a programmed means of identifying a signature and observing predicted characteristics in its use” (article 5)
The most interesting issue is that both ESIGN and EU Directive are technology neutral, living space for misunderstanding & adequate freedom.
According to Erkki Liikanen, member of the European commission, responsible for enterprise and the information society, EU and Russian laws are very compatible, but there are two main differences:
“-Both the EU and UNCITRAL have adopted a technologically neutral approach to authentication based on electronic signature rather than the digital signature approach currently adopted by Russia. Although Russia’s choice may be founded on security considerations, we would recommend that further consideration be given to the electronic signature approach which has a wider applicability and potentially a longer validity because of its technological neutrality,
– The EU Directive on electronic commerce covers all information society services whereas the draft Russian law is limited to the conclusion of contracts…”
In may 2007 Russia has signed UN convention on the Use of Electronic Communications in International Contracting. The convention came into force in December 2007 & Russia became the tenth country, which allows the international contracts negotiated electronically are valid and enforceable as contracts in hard-copies. The convention is applicable only for international agreements excluding “contracts for personal, family or household purposes” and other particular cases covered in article 2 of the Convention.
There are two ways for parties to exclude usage of the convention: (1) include clause into the agreement, which excludes the application of the convention (2) avoid exchange of information via electronic means.
The convention describes in details how to determine the location of the parties. The main provisions are : (1) the party has the right to determine its location in the contracts, (2) if the location is not stated by the agreement, and party has varies locations, then the place business will be chosen “the closest relationship to the relevant contract”. (www.uncitral.org/pdf/english/text/electcom/ch_X_18.pdf)
There is a high contradiction between local Russian law and UN convention on the Use of Electronic Communications in International Contracting. As the international law supersedes the local laws, but some agreements according to Russian law should be done in hard-copy and should be archived for a long time. The best solution for such situation ( for high value contracts) is usage of electronic digital signatures which are already enforceable in Russia by the Federal Law “ About electronic digital signatures”. If this case the two conditions are in force: (1) there is a prove that documents are authentic (2) the documents could be presented at any time.
Why We Are Afraid To Sign E-Agreements?
Russian society traditionally & historically is very bureaucratic & tends to be suspicious to documents. Despite that the federal law on digital signature was adopted in 2001, we are very far from usage of this system. As far as government & state authorities will not start using electronic digital signatures, the Russian world of business commerce will not use it at full force.
E-documents could tremendously simplify my professional life, but nowadays signing electronic agreement seem to me almost impossible due to the following reasons:
- Legal acts are far from ideal, there is room for Some laws are incompatible with other laws. For example, there is no clear indication about e-document and digital signature in Russian Tax code and many our partners in regions even don’t want to hear about electronic agreements.
- People are very resistant to new technologies, especially people working in state companies….
The way I work with our partners, which are located very far, we first sign documents by fax, then we send via post the hard-copy of documents.
But there are very positive trend in electronic documentary area. First of all, Russia has developed a system of electronic governance. This year the e-government will start working at a full force. Secondly, our country has its own cryptographic standards, Russia have own algorithms for creating and verifying digital signatures. Step by step, people will start using electronic documents and I believe in the nearest future
The new double key encryption system, which is used in electronic digital signature, will bring, for sure, new opportunities not only to business but to all spheres of virtual world & e-government services. This system helps to avoid forgeries, speeds up document circulation, saves time and environment, eliminates corruption. Digital signatures could be used everywhere including intra-corporate electronic document circulation, communication with state authorities, in tax reports and internet bank payment system, municipal order bids, etc
However, time doesn’t stand on the same place, the new types of signatures will come up soon. The nearest inventions are digitally encrypted signature (or dynamic signature), which is based on the handwritten signature but digitalized via writing process taking into account dynamic signals (pressure & speed), and biometric signature capturing, the process which attaches to the e-document some biological data of the signatory. So, the main question is e-legislation will be as fast as signature technology?
- http://www.berr.gov.uk/files/file49952.pdf”e-commerce in russia” speech by erkki liikanen, member of the european commission, responsible for enterprise and the information society http://www.delrus.ec.europa.eu/ru/news_301.htm
- http://www.digitalsign.ru/?sec=2 ( in russian)
- https://www.tractis.com/contracts/490915454#tc174 – list of legal acts of different countries
- http://medialaw.ru/e_pages/laws/project/d2-3.htm Federal law in English
- http://www.epam.ru/index.php?id=22&id2=415&l=eng –