A signature assigns a document to the signatory (signer). Signatures as a sign of confirmation or agreement are daily companions in the business world as well as in private life. They have been an integral part of our lives for hundreds of years. A few years ago, there was still a dispute whether the scan of a manual signature has enough requirements to be valid. Since the eIDAS regulation, this only applies to qualified electronic signatures. But what are qualified electronic signatures?
What are electronic signatures?
The electronic signature is, so to speak, the digital equivalent of the handwritten signature. It is considered a sign of the declaration of intent in digital form. Electronic signature procedures have existed since the early noughties. In the meantime, they have become established in business life. In the vast majority of countries, qualified electronic signatures have the same status as handwritten signatures. In Europe, the eIDAS Regulation the central standard. There are various forms of electronic signature procedures. Only qualified electronic signatures have the same status as manual signatures.
Variants of electronic signatures
According to the eIDAS Regulation an electronic signature is defined as: "data in electronic form which is attached to or logically associated with other electronic data and which is used by the signatory to sign". The eIDAS Regulation further distinguishes between three levels of digital signatures. These become more secure at each level. Only qualified electronic signatures are equivalent to handwritten signatures on paper.
The Simple Electronic Signature (SES)
The simplest form of electronic signature is the Simple Electronic Signature (SES). Although this term is not mentioned in the eIDAS Regulation itself, it has become established in practice. It is basically a collective term that covers all electronic name signatures that do not have an advanced or qualified level. Even the typed name (e.g. in the mail signature) is considered an SES.
The Advanced Electronic Signature (AES)
The requirements for an Advanced Electronic Signature (AES) are much higher. An AES fulfils all of the following requirements:
- It is uniquely assigned to the signatory (private key).
- It enables the signatory to be identified.
- The signature creation data used is under the sole control of the signatory.
- It is linked to the data signed in this way in such a way that any subsequent change to the data can be detected.
From a technical point of view, the electronic signature works with the help of a private and public key. First, a unique hash value is calculated from the document (the "fingerprint" of the document). The hash value is calculated from the entire text. It is usually expressed as a 64-digit hexadecimal number. If the document is subsequently changed, the hash value changes. This makes the signature invalid. The hash value is encrypted with a private key and stored in the metadata of the document. The hash value can be read out of the metadata using the signatory's public key.
The hash value can be calculated again from the received document. A validity of the signatures is only given if the received hash value from the metadata matches the recalculated hash value. In this case, it can be assumed that the identity of the sender and the integrity of the information received are guaranteed. If the hash values do not match, an error is reported. In this case, the security of the process is not given.
The Qualified Electronic Signature (QES)
The Qualified Electronic Signature (QES) is the most secure type of electronic signature. It has all the properties of an AES and works technically in the same way. In addition to the requirements for an AES, it is created by a qualified signature creation device and is based on a qualified certificate for electronic signatures. A qualified certificate may only be issued by qualified trust service providers (QTSP). To become a QTSP, a service provider must meet strict criteria set by the competent authorities.
Conclusion: What are the benefits of a qualified electronic signature?
A QES therefore essentially fulfils two functions. It guarantees that documents are not subsequently changed ("Integrity"). And data is assigned to a specific person ("Authenticity"). Only this person has the private key. The issuing of qualified certificates and the control by authorities also ensures that the signature certificates function reliably.
More on the benefits of digital signatures coming soon in our Blog.