• Start Website
  • Help
Reloj Official date and time:
23/06/2021 07:12:05

What is the electronic signature?

Basic concepts

Introduction

Safety is one of the key concepts to which the Administration, when moving into the world of Information and Communication Technologies (ICTs), must pay better attention to. The Administration must extend the legal guarantees it offers to citizens and companies to the operations carried out electronically.

Electronically-generated documents bear three concepts which must be safeguarded: confidentiality, integrity and authenticity.

  • Confidentiality refers to the capacity of keeping an electronic document inaccessible to others, except for a particular list of people.
  • Integrity guarantees that the received document coincides with the issued document without any possibility of change.
  • Authenticity refers to the capacity of determining whether a particular list of people has established its recognition and/or commitment on the content of the electronic document. The problem of authenticity in a traditional document is solved with an autographic signature. With his autographic signature, an individual or several individuals state their will to recognise the contents of a document, and if applicable, to conform to the commitments set in the document for that indivisual.

These problems, confidentiality, integrity and authenticity (the defined signature and encryption processes) are solved with the technology known as cryptography. Cryptography is a branch of mathematics which, when applied to digital messages, provides the ideal tools to solve the previously mentioned problems. The confidentiality problem is commonly related to encryption techniques, and the integrity and authenticity problems to digital signature, although both actually come down to cryptographic encryption and decryption processes.

What is public-key cryptography?

Public-key cryptography is the cryptographic method which involves the use of a mathematically related key pair: a secret private key and a published public key, to encrypt documents or messages. Whatever is encrypted using a private key needs its corresponding public key to be decrypted. And vice versa, whatever is encrypted using a public key can only be decrypted with its private key. The private key can only be known by its owner, whereas the corresponding public key can be made known openly.

The fact that the private key is only known by its owner enables us to achieve to important things:

  • Any document generated with this key can only have been generated by the owner of the key (electronic signature).
  • A document to which the public key applies can only be opened by the owner of the corresponding private key (electronic encryption).

What is an electronic certificate?

An electronic certificate is a document issued and signed by a certification authority that identifies a person (individual or legal entity) with a pair of keys. A certificate contains the following information:

  • Identification of the owner of the certificate (Owner’s name, NIF, email,...).
  • Certificate’s distinctive features: serial number, entity that issued it, date of issue, certificate’s period of validity, etc.
  • A pair of keys: public and private.
  • The certificate’s electronic signature with the key of the certification authority (CA) that issued it.

All of this information can be divided into two parts:

  • Private part of the certificate: private key.
  • Public part of the certificate: rest of the certificate’s data, including the electronic signature of the certification authority that issued it.

The private part is never passed over by its owner. That is the basis of safety. With the pair of keys we can execute encryption operations with the peculiarity that whatever is encrypted with the private key can only be verified with the public key and vice versa.

What is an electronic signature?

An electronic signature is a digital fingerprint of a document encrypted with a key. The digital fingerprint is obtained by applying an algorithm to a message. This algorithm has two fundamental characteristics:

  • There is no possibility to reobtain the message with the generated digital fingerprint.
  • If the message is modified, the obtained digital fingerprint is different. These two characteristics guarantee the message’s integrity. If the content of the message is changed, whoever verifies the signature will know.

The digital fingerprint is encrypted with the private key of the certificate of the person who signs. By applying the verification mechanisms, the receiver will know who signed and that person cannot deny authorship of that message.

How is an electronic signature generated?

1. A digital fingerprint of the digital document you want to sign is obtained. This digital fingerprint gurantees that two different documents generate different digital fingerprints, and two identical documents always generate the same digital fingerprint.

2. The digital fingerprint is encrypted (by means of mathematical algorithms) with the private key of the certificate. This way authenticity is guaranteed for the owner of the certificate is the only person who could have encrypted it.

3. All the documentation is inserted in a signed document which includes:

  • Original document (optional).
  • Digital fingerprint encrypted with the private key.
  • Public part of the certificate.

Verification of an electronic signature

1. The encrypted digital fingerprint is decrypted with the private key by means of the certificate’s public key.

2. The digital fingerprint of the original digital document is obtained.

3. The digital fingerprints are compared. If they match, the signature is correct (there is integrity, the document has not been modified).

4. The issuing certification authority is consulted about the validity of the certificate, and if it is valid, the signature will be considered as correct and valid (the source of the signature is guaranteed as authentic).