An electronic signature always refers to exactly one file. It can be contained in the file itself or it can be created as an own file. An electronic signature for files is comparable to a seal that grants integrity and intactness of things or containers. The following types of electronic signatures are differentiated, of whom only the last is comparable to your legally binding, personal, handwritten signature.
· Simple electronic signature (for example your handwritten signature, scanned and inserted as picture file)
· Advanced electronic signature (for example created with a software certificate)
· Qualified electronic signature (created with a signature card)
|
Please also read: Here you can find the web-page of the SOG-IS that deals with recommended crypto algorithms and algorithm catalogues. |
Authenticity and integrity
Task of the electronic signature is to grant authenticity and integrity of files. After you have electronically signed a file, it is possible to determine whether this file was really signed by you (authenticity) and whether the content of the file was manipulated after signing or not (integrity).
How is an electronic signature created?
An electronic signature is created in three steps. In the first step a hash value is computed for the file, in the second step the hash value is encrypted and in the third step the certificate is added.
1. Computing the hash value
A function is used on the file that computes a unique value for the file. The function is called hash function and the value is called hash value. A hash value requires much less disk space than the file, for which it is created. Example for a hash value:
0D9C3ECDFBE036E1750DE82A7863F1E6B6AC336B
A hash value is unique for every file. If the same hash function is always applied to the same file than the resulting hash value is always the same. If the file is changed, another hash value results from the computation. Hence, a hash value is unique for a file and determines the integrity of a file. As long as the hash function's result is always the same hash value the file was not manipulated.
2. Encrypting the hash value
For encrypting the hash value, a so-called asymmetric pair of keys is used (for encryption see chapter 9.6). It consists of a private (secret) and a public key. The private key is only contained on the signature card and cannot be removed from there. The public key can be accessed by everyone. The private key is used to encrypt the hash value. To do so, a program like Governikus DATA Boreum computes the hash value and passes it to the signature card. Within the signature card the hash value is encrypted and then the encrypted hash value is passed back to the program. In order to prevent misuse of the signature card the personal identification number (PIN) is requested prior to encryption. Only on correct PIN entry the encryption is started.
3. Adding the certificate
After passing back the encrypted hash value to the program the certificate is copied from the signature card and added to the encrypted hash value. It contains the signature card owner's name, the public key, and the certificate authority (CA, see chapter 9.2) that issued the signature card. Furthermore, the time is added, at which the encryption was executed.
Signed file
The parts explained above - encrypted hash value, time of encryption and certificate with public key - constitute the electronic signature. The electronic signature can be contained in the signed file itself, as is done in PDF files. On the other hand, the signature can contain the signed file. This signature is then called enveloped. In case the signature is contained in an extra file it is called detached. The certificate can be traced to the certificate authority. The certificate authority acknowledges on request the signature card owner's identity which also proves the authenticity.
|
Attention: The content of a file that was "only" electronically signed and is not encrypted can be viewed by a third party. The electronic signature proves authenticity and integrity but without encryption the content is not secret. |