Legal issues 

Electronic signature: studying the application procedure. What is an electronic signature, why is it needed and what advantages does it give to a business? Technological electronic signature

An electronic signature is a mathematical scheme designed to display the authenticity of electronic messages or documents. A valid digital signature provides every reason for the recipient to believe that the message was created by a known sender, that it was actually sent (authentication and non-repudiation), and that the message was not altered in transit (integrity).

Answering the question: “EDS - what is it?” - it is worth noting that they are a standard element of most cryptographic protocol sets and are usually used for software distribution, financial transactions, and also in many other cases where it is important for detecting forgery or falsification.

Digital signatures are often used to implement electronic signatures. This is a broader term that refers to any electronic type data. However, not every electronic signature is digital.

Digital signatures use asymmetric cryptography. In many cases, they provide a certain level of verification and security for messages that were sent over an insecure channel. When properly implemented, a digital signature allows one to believe that a message was sent by the intended sender. Digital seals and signatures are equivalent to handwritten signatures and real seals.

EDS - what is it?

Digital signatures are similar to traditional handwritten signatures in many ways and are more difficult to forge than handwritten signatures. Digital signature schemes have cryptographic underpinnings and must be implemented properly to remain effective. How to sign a digital signature document? You need to use 2 paired crypto keys.

Digital signatures can also implement the principle of non-failure operation. This means that a subscriber cannot successfully claim that it did not sign the message. Additionally, some schemes offer a timestamp for the digital signature and even if the private key is compromised, the signature remains valid. Digital signatures can be represented as a bit string and can be used in email, contracts, or a message sent using some kind of cryptographic protocol.

Public key cryptography or digital signature structure

What it is? The digital signature scheme includes three algorithms simultaneously.

A key generation algorithm that selects a secret key uniformly and randomly from a set of possible private keys. It issues a secret key and a public key that goes with it.

A signature algorithm that, given a message and a private key, actually produces the signature.

A signature verification algorithm that takes into account the message, public key and signature and accepts or rejects the sending of the letter, determining the authenticity.

How to install digital signature?

In order to use a digital signature, it is necessary to provide it with two main properties. What should you consider before signing a digital signature document?

First, the authenticity of the signature generated from the fixed message and the private key can be verified using the corresponding public information.

Second, it must be computationally infeasible to guess the correct signature without knowing the secret key. A digital signature is an authentication mechanism that allows the originator of a message to attach a code that acts as a signature.

Using Digital Signatures

As modern organizations move away from paper documents with ink signatures, digital signatures can provide additional authentication and proof of document authorship, identity and status. In addition, a digital signature can be a means of demonstrating the informed consent and approval of the signatory. Thus, digital signature for individuals is a reality.

Authentication

Although letters may include detailed information, it is not always possible to reliably identify the sender. Digital signatures can be used to authenticate the origin of messages. When the EDS secret key is linked to a specific user, this confirms that the message was sent by them. The importance of trusting that the sender is genuine is especially evident in financial sectors.

Integrity

In many scenarios, the sender and recipient of an email need to be sure that it has not been altered in transit. Although encryption hides the contents of the sent object, it is only possible to change the encrypted message without understanding its meaning. Some can prevent this, but not in all cases. In any case, checking the digital signature during decryption will reveal a violation of the integrity of the letter.

However, if the message is digitally signed, any change to it after signing will disavow the signature. Additionally, there is no efficient method to modify a message and produce a new one with a valid signature because it is considered computationally impossible.

Non-repudiation

Non-repudiation or the impossibility of denying the origin of a letter is an important aspect in the development of digital signature. What it is? This means that the entity that submitted some information cannot subsequently deny that it signed it. Likewise, access to the public key prevents attackers from forging a valid signature. The use of digital signature for individuals has the same consequences.

At the same time, attention should be paid to the fact that all the properties of authenticity, reliability, etc. depend on a private key, which must not be revoked before it is used. Public keys must also be revoked when paired with private keys after use. Checking the digital signature for “revocation” occurs upon a specific request.

Entering a secret key on a smart card

All public/private key cryptosystems rely entirely on keeping the data secret. The EDS secret key can be stored on the user's computer and be protected by a local password. However, this method has two disadvantages:

  • the user can sign documents exclusively on this specific computer;
  • The security of the private key depends entirely on the security of the computer.

A more secure alternative for storing the private key is a smart card. Many smart cards are tamper-resistant.

Typically, the user must activate their smart card by entering a personal identification number or PIN (thus ensuring that it can be arranged so that the private key never leaves the smart card, although this is not always implemented in crypto digital signatures.

If the smart card is stolen, the attacker will still need the PIN to create a digital signature. This somewhat reduces the security of this scheme. A mitigating factor is that the generated keys, if stored on smart cards, are generally difficult to copy and are assumed to exist in only one copy. Thus, when the loss of a smart card is detected by the owner, the corresponding certificate can be immediately revoked. Private keys protected only by software are easier to copy and such leaks are much more difficult to detect. Therefore, using digital signature without additional protection is unsafe.

Procedure for generating a digital signature

At the preparatory stage of this procedure, the subscriber A− message sender − generates a key pair: secret key k A and public key K A. Public key K A calculated from the secret key paired with it k A. Public key K A sent to other network subscribers (or made available, for example, on a shared resource) for use in signature verification.

To generate a digital signature, the sender A first of all calculates the hash value h(M) signed text M(Fig. 1). The hash function is used to compress the original signed text M to the digest m− a relatively short number consisting of a fixed small number of bits and characterizing the entire text M generally. Next is the sender A encrypts the digest m with your private key k A. The resulting pair of numbers represents a digital signature for the given text M. Message M together with the digital signature is sent to the recipient.

Fig.1. Scheme for generating an electronic digital signature

Network subscribers can check the digital signature of a received message M using the sender's public key K A this message (Fig. 2).

When checking the digital signature, the subscriber IN− message recipient M− decrypts the received digest m public key K A sender A. In addition, the recipient himself calculates using the hash function h(M) digest m' received message M and compares it with the decrypted one. If these two digests − m And m'− match, then the digital signature is genuine. Otherwise, either the signature is forged or the content of the message has been changed.

Fig.2. Electronic digital signature verification scheme

The fundamental point in the digital signature system is the impossibility of forging a user’s digital signature without knowing his secret signing key. Therefore, it is necessary to protect the private signing key from unauthorized access. The EDS secret key, similar to the symmetric encryption key, is recommended to be stored on a personal key carrier in a protected form.

An electronic digital signature is a unique number that depends on the document being signed and the subscriber’s secret key. Any file can be used as a signed document. A signed file is created from an unsigned file by adding one or more electronic signatures to it.

The digital signature structure placed in the file being signed (or in a separate electronic signature file) usually contains additional information that uniquely identifies the author of the signed document. This information is added to the document before the digital signature is calculated, which ensures its integrity. Each signature contains the following information:



date of signature;

· expiration date of the signature key;

· information about the person who signed the file (full name, position, short name of the company);

· signer identifier (public key name);

· the actual digital signature.

It is important to note that, from the end user's point of view, the process of generating and verifying a digital signature differs from the process of cryptographic closure of transmitted data in the following ways.

When generating a digital signature, the sender's private key is used, while encryption uses the recipient's public key. When verifying a digital signature, the sender's public key is used, and when decrypting, the recipient's private key is used.

Any person can verify the generated signature, since the signature verification key is public. If the signature verification result is positive, a conclusion is made about the authenticity and integrity of the received message, that is, that this message was actually sent by one or another sender and was not modified during transmission over the network. However, if the user is interested in whether the received message is a repetition of a previously sent one or whether it was delayed along the route, then he must check the date and time of its sending, and, if available, the sequence number.

Today there are a large number of digital signature algorithms.

Currently, electronic digital signatures are widely used and used both in the internal document flow of companies and when transferring documents to government agencies, for example, the tax office. In addition, electronic digital signatures are actively used in government procurement by both customers and suppliers. In the article let's get acquainted with the history to the emergence of an electronic signature,Let's look at what an electronic signature looks like, its application and practice of use.

1. History of electronic signature

Thirty years ago in 1976, Whitfried Diffie and his co-author, Stanford professor Martin Hellman, pioneered public key cryptography, which is based on a key exchange algorithm. It arose on the basis of the idea of ​​​​transmitting information from one subject to another subject so that outsiders, having access to it, could not understand it. Until our time, technology has undergone changes, even what an electronic digital signature looks like. But since the publication of their research, the use of an electronic digital signature (EDS) began. Electronic signature as a technology came to Russia in the early 90s and was introduced in 1995. These changes were made to the Civil Code of the Russian Federation. Where Article 160, paragraph 2, provided for the use of an electronic signature when registering transactions, as an analogue of a handwritten signature (HSA).

This protection technology has become of interest to our domestic banks. Among the first was the Central Bank of Russia, in addition to other credit institutions. An electronic digital signature has found application to protect information systems in such organizations, allowing secure data transfer, for example, in bank-client systems. Until 2002, protecting the transmission of information was the main purpose of using an electronic signature.

2. Legal significance of electronic digital signature.

As the problem of protecting the information space and the use of electronic signatures for this significantly expanded, the corresponding law “On Electronic Signatures” No. 63-FZ of 04/06/2011 was developed, which would regulate work with data encryption and expand the scope of application of electronic signatures. This made it possible to create electronic document management.

The use of electronic signatures is regulated by the state at the federal level through two laws, Federal Law No. 1 and Federal Law No. 63, which help resolve disputes in civil law relations.

The bill was adopted because the Civil Code only gave permission to use an electronic signature, as an analogue of a handwritten signature with significant restrictions. This law also regulated the resolution of legal disputes, as previously it was difficult due to the lack of authorities responsible for the authenticity of electronic signatures. Although there were earlier court proceedings in which a computer document appeared as evidence (a 1979 case of computer theft of 78 thousand 584 rubles in Vilnius). Then there was a trial in 1982 in the city of Gorky (a case of grand theft).

The most important shift in the adoption of the EDS law was the legal acceptance of an electronic document as equal to a paper document. In the United States, the law on the use of digital electronic signatures was adopted in 1995 in the state of Utah.

The Federal Law on Electronic Digital Signatures has shortcomings in its wording. They increase the risk of using an electronic signature, so detail and more precisely defined terms of agreements are necessary. An example of this is Article 4 of the EDS Law, which establishes three conditions for the equivalence of a handwritten signature. One of them is very controversial, since it indicates that the certificate is valid at the time of signature or at the time of verification. This ambiguity of interpretation requires further clarification. Although any law is controversial, the digital signature law is no exception. IP organizers today successfully compensate for these shortcomings at the level of agreements between the parties. The main disadvantage of this law is that it is not a direct law.

In Russia, when the law on digital signatures was adopted, developers had certain difficulties. All certified cryptographic information protection tools were incompatible with each other. Moreover, this problem before the emergence of certification centers was not as acute as after their appearance. Often, a certificate issued by one certification authority was not recognized by another certification authority.

This problem was partially solved by signing an agreement, which stated that the format of encrypted messages and the public part of the key would be developed by Crypto-Pro LLC. The agreement was signed directly by Crypto-Pro LLC, FSUE STC Atlas, Factor-TS LLC, Infotex OJSC and MO PNIEI CJSC. So the problem was partially solved, but it did not disappear completely, although most of the developers of the electronic signature in Russia formally or officially joined this agreement.

3. Concept and definition of electronic digital signature. Using an electronic signature

An electronic digital signature (abbreviated as ES) is a special standard of a document attribute that excludes the destruction of data transmitted in an electronic document from the moment the ES is completed and confirms the relationship of the ES to such owner. The attribute content is generated using cryptographic data transformation.

Electronic digital signature certificate is an attribute that proves the relationship of the public key (the key that is being verified) of the electronic signature to the owner of the certificate.

Certificates are issued by certification authorities (CAs) or their authorized representatives.

The owner of an electronic signature certificate is, as a rule, an individual for whom an electronic signature certificate is issued at a certification center, regardless of the legal form of the organization. For such an individual, the certificate on electronic media includes two electronic keys: private and public.

The private key of the electronic digital signature (ED key) generates the electronic signature with which the electronic document will be signed.

An electronic digital signature is formed by encrypting the information contained in the document. It represents a unique sequence of characters and is located in the body of the signed file or attached to it.

When purchasing a certificate, an organization or owner must ensure its security and must protect the private key from theft.

The public key of the electronic digital signature (digital signature verification key) and the private key of the digital signature are interconnected. The private key is intended to verify the authenticity of the digital signature.

For this purpose, digital signature media with an encrypted file system were developed. It has a key container that limits the number of attempts to decrypt the file system and the container itself. Smart cards and USB tokens are actively used for this. In order to start using such a device, you need to connect the device to your computer and enter your personal PIN code. Entering such a PIN code has a limited number of entries (usually three), after attempts have been exhausted the device is blocked.

A high level of private key protection is currently provided by Aladdin e-Token and Rutoken. Interaction with the private key occurs on the device's storage chip, i.e. the key never leaves him. This prevents the key from being intercepted from RAM.

4. Qualified and unqualified electronic digital signature and their varieties

Simple electronic digital signature- belongs to an individual to confirm the signing of documents. But there is no way to determine whether the electronic document itself has changed, i.e. its contents. It is intended for electronic document management within the company.

Enhanced electronic digital signature- after the amendments to the law on electronic signatures, such a signature began to have varieties.

Enhanced unqualified electronic digital signature- the function of this enhanced unqualified electronic digital signature is to identify the sender. Such an electronic signature can be obtained even in non-accredited centers. Documents signed using an electronic signature are equivalent to paper documents signed by hand.

Enhanced Qualified Signature- this signature applies the highest degree of protection, as it is formed by cryptographic protection tools that can be used by certification centers with an FSB license or by the FSB itself.

Signature Options

Simple electronic digital signature

Strengthened unqualified signature

Enhanced Qualified Signature

It is formed on the basis of codes, passwords, etc.

Formed on the basis of cryptographic modification of document data using an electronic digital signature key

It is possible to identify the owner of the document

It is possible to establish the fact of changes in electronic documents after they are signed

The maximum degree of protection - the electronic digital signature verification key is in a qualified certificate

5. What does an electronic signature and media for it look like?

The Rutoken electronic identifier is a device aimed at authorizing the owner and protecting electronic correspondence. It looks like an electronic signature on a medium such as a USB keychain (flash drive).

eToken is a secure device that supports operation and integration with all major systems and applications, smart cards or USB keys.

The electronic digital signature itself looks like either an icon or an image of a seal. You can view the certificate and what the electronic signature looks like in your browser properties.

Before signing a WORD document or a letter from a mail server, you must install an electronic digital signature on your computer. After this, you can sign the document.

For example, if there is a need to send a letter using an electronic signature, then after installation you need to go to > file > prepare > add a digital signature or > add a digital signature (CRYPTO-PRO)

When using an electronic signature, you can add an image of a seal or your signature to visualize it.

After signing the document, an icon will appear at the very bottom. This is what an electronic signature will look like in a WORD document.

An electronic signature can be added to email clients and Adobe Acrobat Pro to sign PDF files.

In Microsoft Outlook, signing with an electronic signature will look like this.

To add an electronic signature to applications, you may need to install additional software, for example, CryptoPro Office Signature. This is for WORD versions above 7 and for Adobe Acrobat Pro. Signing a pdf document using an electronic signature looks like this:

And this is what the electronic signature of the Tax Inspectorate looks like. As a rule, you can encounter it when receiving extracts from the Unified State Register of Legal Entities in electronic form. Banks use similar electronic signatures.

6. Where can I apply an electronic signature?

At the moment, there are many options for using an electronic signature.

For example, an electronic signature is used for electronic document management, both internal and external. With internal document flow, documents migrate within the organization. These are, for example, orders and instructions that employees need to familiarize themselves with and endorse their familiarization with.

With external document management, documents migrate between companies. For example, documents are transferred using an electronic signature in B2B or B2C systems.

If it is necessary to submit reports to regulatory authorities, or to be able to use the Client-Bank, an electronic signature is also used. To receive a full service on the State Services website, individuals must also purchase an electronic signature.

Digital signature for individualsappeared relatively recently and is not yet as popular as in the business sphere. What is an electronic signature for individuals, what opportunities does it provide, where to go to obtain it - all this will be discussed in this article.

Electronic digital signature - what is it?

The procedure for using digital signatures when signing documents is regulated by the Law “On Electronic Signatures” No. 63-FZ of 04/06/2011. An electronic signature is an analogue of an individual’s signature, which has the following properties:

  • is unique;
  • protected from copying;
  • indicates the person who signed the document.

From a technical point of view, an electronic digital signature is formed by encrypting the information contained in a document and is a unique sequence of characters. It is either located in the body of the signed file or attached to it. That is, the external expression of an electronic signature has nothing in common with a handwritten signature. Despite the fact that the purpose of both types of signatures is the same - to certify the authenticity of the document.

The law names 3 types of electronic signature:

  1. simple - serves to confirm that the document comes from a certain person;
  2. reinforced unqualified - not only indicates the person who put it down, but also confirms that after it was put down, no changes were made to the document;
  3. enhanced qualified - has the characteristics of an unqualified digital signature, but is issued only in specialized centers accredited by the Ministry of Telecom and Mass Communications.

It is a qualified signature, according to the law, that gives the document full legal force (that is, it fully replaces a handwritten signature, as well as the seal of the organization). It is required, for example, when submitting electronic reports to the Federal Tax Service, Pension Fund and other government agencies. Other types of digital signatures can be used in business relations if the agreement between the parties provides for their use.

Why do individuals need an EDS?

Today, electronic digital signatures are increasingly used in the work of legal entities. Its use is especially relevant for organizations that have a large number of divisions or enter into transactions with counterparties located at a considerable distance from them. However, with the transition of many types of activities to the virtual space, citizens often need to obtain an electronic digital signature.

Don't know your rights?

We list the main areas in which digital signatures are useful for individuals:

  1. Receiving government services via the Internet. Possession of an electronic digital signature will allow you to fully use the services of the state portal. services (for example, tracking traffic police sanctions, filling out an application for obtaining a passport, sending a declaration to the Federal Tax Service, etc.).
  2. Submitting an application for admission to a university. Every year, more and more educational institutions introduce the practice of accepting applications from out-of-town applicants certified with an electronic signature.
  3. You can electronically submit an application to the tax authority, as well as documents for opening a legal entity. persons or individual entrepreneurs.
  4. The use of digital signature allows you to formally draw up documents (for example, a work contract) for individuals working from home and receiving orders via the Internet.
  5. When using an electronic signature, it will be possible to participate in electronic auctions (the property of enterprises declared bankrupt is often sold at them).
  6. It is possible to submit an application for a patent for an invention electronically.

How and where to get an electronic digital signature?

In order to obtain an electronic digital signature, you need to contact an institution called a certification center. The list of accredited centers and their addresses can be found on the website of the Ministry of Telecom and Mass Communications. These institutions are located in almost all major cities.

Although, speaking technically correctly, the center issues not the signature itself, but the software for creating it. Using these means, the owner has the opportunity to sign each electronic document with a unique digital signature (See . How to install digital signature on a computer and sign a document (Word, pdf)?).

To use a signature, 2 keys are issued: private (secret) and public. They represent encoded information of a certain volume. The private key is used to sign the document, and the public key is used to verify the signature (the owner provides this key to the recipients of the emails). The rights of the owner of the public key are confirmed by a certificate issued by a certification authority.

When applying for an electronic signature, a citizen will need a package of documents, the specific list of which may vary depending on the certification center. The following documents are most often required:

  • application for issuance of digital signature;
  • certificate of assignment of TIN;
  • passport;
  • pension certificate (SNILS);
  • document confirming payment for the center's services.

In most centers, an application can be submitted via the Internet. As a rule, the process of producing an electronic signature takes no more than a few days.