The Difference between Electronic Signature and Digital Signature Posted on January 8, 2023 - 2:27 pm by John Webster In today’s digital age, the way we sign documents has evolved significantly. Traditional wet ink signatures have been replaced with electronic and digital signatures, offering convenience and efficiency for both individuals and businesses. In this blog, we’ll explore the key differences between electronic signatures and digital signatures, shedding light on their advantages and use cases. We will also highlight the importance of security and authenticity, emphasizing why Secured Signing’s digital platform, utilizing digital signatures and Remote Online Notarization (RON), stands out as a top security provider. What is an Electronic Signature? An electronic signature, also known as an e-signature, is a digital representation of a person’s signature, used to sign electronic documents and legally binding in most countries. These signatures can take various forms, including scanned images of handwritten signatures or typed names. Electronic signatures are created using various methods, such as typing a name, drawing a signature on a touchscreen, or using a digital signature pad. If you’re in a highly regulated industry dealing with personal or confidential information, such as finance, accounting, HR, legal, or healthcare, you might need to consider a more secure option. Advantages of Electronic Signatures Convenience: Electronic signatures can be created and signed from anywhere, at any time, if there is an internet connection. Time-saving: Electronic signatures eliminate the need for printing, signing, and scanning documents, saving time and resources. Cost-effective: With electronic signatures, there is no need for paper, ink, or postage, making it a cost-effective option for businesses. Legally binding: In most countries, electronic signatures are legally binding and hold the same weight as a handwritten signature. What is a Digital Signature? A digital signature, a specialized type of electronic signature, employs the robust encryption method known as Public Key Infrastructure (PKI). Digital signatures are generated through a digital certificate, provided by a Certificate Authority (CA). They offer the compelling advantage of demonstrating that the original document remains unaltered and free from forgery. Essentially, a digital signature acts as a unique fingerprint exclusive to a specific document, making it impossible for any other document to possess the same digital signature, ensuring the document’s integrity and authenticity. Advantages of Digital Signatures High level of security: Digital signatures use a two-key system, making them more secure than electronic signatures. Non-repudiation: Digital signatures provide non-repudiation, meaning that the signer cannot deny having signed the document. Tamper-proof: Digital signatures are difficult to forge or tamper with, providing an extra layer of security for important documents. Compliance: Digital signatures are compliant with various regulations and standards. Signer’s Identify is part of the signature. Signature’s Intent, the reason for signing Differences between Electronic Signatures and Digital Signatures Electronic and digital signatures serve the same purpose of signing electronic documents but diverge significantly in their technology, security, compliance, and importance in document security. Technology: – Electronic signatures employ diverse methods like typing or drawing a signature. – Digital signatures use PKI (Public Key Infrastructure) encryption and include signature’s graphical image. Security: – Digital signatures are more secure, offering non-repudiation and resistance to forgery or tampering due to PKI. Compliance: – Digital signatures comply with regulations like the eIDAS Regulation (EU), FDA (Food and Drug Administration) CFR 21 Part 11, ESIGN, UETA, and more.– Electronic signatures may not meet certain regulations and can vary in legal weight. Document Security: – Digital signatures provide even higher security through the robust two-key PKI system, guaranteeing authenticity and integrity. – Detect any changes that might be made to the content of the document after it is first signed – If the document is modified, signatures will immediately become invalid – Independent signatures verification. Electronic signatures and digital signatures are two distinct methods for signing electronic documents. While electronic signatures are basic solutions, digital signatures offer a higher level of security and assurance that the signature is genuine and unaltered. Understanding the differences between these two methods is crucial for businesses and individuals seeking secure and legally enforceable electronic signatures. At Secured Signing, we take your security and authenticity seriously. Our digital platform, incorporating digital signatures and Remote Online Notarization (RON), ensures your documents are protected, legally recognized, and tamper-proof. So, when it comes to securing your electronic signatures, choose the best—choose Secured Signing as your number one security provider.
Introduction to Digital Signatures Posted on October 28, 2022 - 3:28 pm by John Webster The Process & Validity behind Digital Signature Technology. Public Key Infrastructure – PKI A cryptographic system that uses two keys, a public key known to everyone and a private key, the private key has full control to the key owner, and has to keep in secured environment. A unique element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them. Moreover, it is virtually impossible to deduce the private key if you know the public key. When David wants to send a secure message to Donna, he uses Donna’s public key to encrypt the message. Donna then uses her private key to decrypt it. Public key cryptography was invented in 1976 by Whitfield Diffie and Martin Hellman. It is also called asymmetric encryption because it uses two keys instead of one key (symmetric encryption). Digital Signatures Process Using David and Donna, we can demonstrate how digital signatures are work. From David’s point of view, the signing process operation is simple. But few steps are happening while signing process is started. : Generating a Private and Public Key For digitally sign documents, David needs to obtain a Private and Public Key – a one-time process , it’s done by Secured Signing Service while user registered. The Private Key isn’t shared and is used only by David sign documents. The Public Key is available for all, used for validate the signatory’s digital signature. Digitally Signing Document Create a Digital Signature A unique document’s hash that represent the document is created using a math scheme (like as SHA-1). Added the Signature to the Document The hash result and the user’s digital certificate that includes user’s Public Key are mixed into a digital signature; it’s done by using the user’s Private Key to encrypt the document hash. The resulting signature is unique to both the document and the user. Finally, the digital signature is embedded to the document. David sends the signed document to Donna. Donna uses David’s public key (which is included in the signature within the Digital Certificate) to authenticate David’s signature and to ensure the document didn’t alter after it was signed. Donna: Document validation process starts Decrypts David’s digital signature with his Public Key and gets sent document Compares David’s document hash with Donna calculated Has –Donna calculates the document hash of the received document and compares it with the hash document in the digital signature. If both hashes are same, the signed document has not been altered. Certificate Authority (CA) CA issued certificates to ensure the authenticity of the signatories. Certificates are similar to ID Document. When you want to identify a user in the system you check his certificate. This certificate issued in registration process once all require information filled in. In PKI world the CA uses the CA’s certificate for authenticating user’s identity.
Digital Signatures & Secured Signing Security Posted on October 27, 2021 - 7:58 am by John Webster Secure trusted service with PKI Technology Secured Signing web service uses Digital Signatures PKI technology for digitally signing documents. Public Key Infrastructure (PKI) technology has been proven to be the ONLY technology available today that ensures non-forgeable signatures. In a PKI system, you will get as a user, two keys: a public key and a private key. These keys are used for encrypting and decrypting information, digitally signing electronic information and verifying the authenticity of their owner. While the public key is distributed widely, the corresponding private key is held and encrypted in Secured Signing hardware (HSM) device and only the private key’s owner able to access and use it. The EU Directive 1999/93/EC for Digital Signatures recognised and defined a stronger type of electronic signature, the Advanced Electronic Signature. Only Public Key Infrastructure (PKI) digital signatures meet the requirements for such signatures. Communication All communications with Secured signing are encrypted with SSL technology. Users authenticate with encrypted login and password. Data Center Located in one of the most peaceful places on the planet (New Zealand) with: 3 high-speed, high-capacity internet feeds Power protection 2MVA mains supply Dual AC mains power supply system serviced by two independent suppliers Binary Uninteruptable Power Supplies with redundant re-routing (500kVA) One of the most advanced and reliable IDC power systems available Diesel generators Humidity controlled Heat Ventilation and Air Conditioning (HVAC) cooling units High Availability – 99.99% uptime SLA 24/7 armguard on-site security Biometric access control Security Cameras Payment gateway The Payment Gateway we are using is fully certified as Visa AIS and MasterCard SDP (PCI-DSS) compliant at processor level; using an approved QSA for quarterly scans on systems and full on-site audits, annually. All sensitive information is encrypted with the 3DES protocol, with Hardware Security Module as Network Security Processors. Compliance Certifications and Regulations The privacy and protection of your data is something we take very seriously – which is why our security and privacy program is based on and aligned with industry-standard frameworks, and we maintain a comprehensive suite of certifications and attestations to further demonstrate our commitment to security and privacy. ISO 27001 Certification IS 747283 Secured Signing is ISO/IEC 27001 certified and manages information security within a framework based on related standards such as ISO/IEC 27017 (Code of Practice for Information Security Controls Based on ISO/IEC 27001 for Cloud Services) and ISO/IEC 27018 (Protection of Personally Identifiable Information). “Internationally recognized ISO/IEC 27001 is an excellent framework which helps organizations manage and protect their information assets so that they remain safe and secure. It helps you to continually review and refine the way you do this, not only for today, but also for the future.” – Learn more about ISO 27001 with BSI. Secured Signing – ISO 27001 Control Structure Information security policies: A policy framework is in place to provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. Organisation of information security: Secured Signing have established a management framework to initiate and control the implementation and operation of information security within the organisation. This framework considers and ensures the security of teleworking and use of mobile devices as per the Mobile Device and Teleworking Policy. The framework will also assess risks to projects and review of the types and confidentiality levels of information the project will utilise and manage. Human Resource Security: Secured Signing have established processes and responsibilities relating to information security during the recruitment process, employment and separation. All employees receive security awareness training upon induction, and at least annually thereafter. Asset Management: Information assets, including hardware, software and data have been identified and classified and an inventory of assets is maintained. Secured Signing classify and handle all information assets in accordance with the Information Classification Policy. Secured Signing and dispose of information in accordance with the Acceptable Use Policy. Access Control: Methods and controls have been implemented to manage logical access to sensitive data to protect the confidentiality of information as well as integrity and availability requirements. Access requirements are assessed against Access Control Policy and Information Classification Policy. Access to Secured Signing information and systems must be: attributable to a uniquely identifiable individual who is responsible for actions performed with their system account based on the requirements of the individual’s role managed by passwords or other accepted authentication mechanisms and formally authorised by asset owners routinely revalidated and removed if no longer required Cryptography: Methods and controls for ensuring data are secured during transmission or storage through appropriate encryption processes. Includes methods and processes for managing keys, software and other artefacts. Physical and environmental security: Appropriate physical controls protect information assets against loss, physical abuse, unauthorised access and environmental hazards. These include perimeter security controls, physical access controls, intruder detection controls, fire, and flood and power protection controls. Operations security: Methods and controls are implemented that balance the need for IT Operations professionals to have privileged access to systems and networks with the requirement to maintain secure access and confidentiality of data. Management and operation of computers and networks shall be, commensurate with the business risk and value of the information assets. Access into networks will be granted on an individual user and application basis using authorised devices and secured pathways. Communications security: Methods and controls are implemented to manage the secure transmission of information to ensure confidentiality of sensitive data and to minimise the risk of data loss or leakage. Systems and networks are segregated according to their respective information security risks and use appropriate control mechanisms such as firewalls/gateways, physical isolation and encryption. System acquisition, development and maintenance: Information security controls for system acquisition, development and maintenance are specified in the Secure Development Policy and included as an integral part of the software development and implementation process. Security requirements are identified prior to the development or procurement of new information systems, documented in business requirements, validated and tested prior to implementation, and regularly throughout the systems lifecycle. Supplier relationships: Secured Signing have implemented security controls and processes to manage supplier access to information assets. Suppliers and vendors are be given access privileges only at the level required to deliver contracted services and contracts must comply with information security policies. Information security incident management: Secured Signing apply a consistent and effective approach to the management of information security incidents. Procedures that define the course of action when a security incident is identified are documented and made available to all employees. Information security aspects of business continuity management: The application of business continuity management minimises disruption to Secured Signing operations, defining the approach to resilience, disaster recovery and general contingency controls. Secured Signing have developed and periodically review and test Business Continuity Plans that support information security continuity. Compliance: Secured Signing ensure compliance with all applicable legal and contractual obligations related to information security including taking reasonable steps are taken to monitor, review and audit information security effectiveness. This includes the assignment of security roles, maintenance of policies and processes and reporting of non-compliance. Secured Signing maintains formal processes in place to manage a data breach and the mandatory notifications that are required under relevant laws and specific customer contracts.
Digital Signature’s legality – Is a digital signature legally binding? Posted on October 27, 2021 - 7:52 am by John Webster Today, most countries welcome the use of electronic signatures as a way to move beyond a paper-based environment. New Zealand, Australia (all states), the United States, Canada, South Africa, the United Kingdom, the European Union, and many others have established laws regarding the signing of documents in electronic format. While people use various ways to sign electronically, ONLY Digital Signature technology that uses industry-based standards of cryptography can satisfy these laws. The Secured Signing digital signatures online service complies with and exceeds these requirements! We are confident that the systems used by Secured Signing ensure that the electronic signatures produced meet the New Zealand legal requirements for a signature. In fact, the security and logging facility, in our view, provides better authenticity than many of the methods by which documents are now commonly signed and exchanged (e.g. email and facsimile). So, unless there are specific laws dictating that a document can only be signed in a particular way, any form of contract can be signed using the Secured Signing System. Rick Shera, Partner, LOWNDES JORDAN, Barristers & Solicitors, Auckland, New Zealand Law requirements Legal requirement for a signature is met by means of an electronic signature if the signature: Adequately indentifies the signatory; Adequately indicates the signatory’s approval of the information to which the signature relates; and (Intent) Is as reliable as is appropriate given the circumstances. An electronic signature is sufficiently reliable if: the means of creating the signature is linked to the person signing and no-one else, and the means of creating the signature was under the control of the person signing and no-one else, and any changes to the signature are detectable, and any changes to the documents are detectable (data integrity ). Our compliance How Secured Signing’s trusted Digital Signatures Service meets Electronic Signatures Laws Documents that are digitally signed with Secured Signing meet the above law requirements as follows: 1. Identifying the Signatory Only Secured Signing creates a unique digital certificate to a user, an Invitee, and a Witness. When these signatories register, additional information is added to their signature including a unique e-mail address with proof of ownership, full name, company’s legal name, full physical address, password, and more. Some of these details ensure the signatory is identified at the moment the digital signature is created. By digitally signing, users can easily verify the identity of the signatory via the digital certificate incorporated with the digital signature. Signature verification can be done online using Secured Signing’s Free Verification Service and/or on the verifier desktop. 2. Signature is linked to the signatory The Secured Signing digital signature technology ensures that every signature is uniquely linked to the signatory and to the document by using the signatory’s Private Key. The service creates a unique digital certificate for the signatory using a Cryptographic Key that eliminates the possibility to create and/or duplicate the same signature. 3. Creating the signature is under sole control of the signatory Secured Signing sends documents for signing only to the person whose signature is required; no one else will receive them. In order to sign, the signatory has to provide credentials verifying their right to sign: a proof of ownership of a unique e-mail address and a password to login. 4. Detecting Changes to the Document and to the Signatures (Data Integrity) Secured Signing’s trusted digital signature service is based on PKI technology that is considered to be the ONLY technology that ensures non-forgeable signatures. Signed documents are sealed with the signatory’s trusted PKI digital signature key; the system is also able to detect any changes that might be made to the content of the document after it is first signed. If the document is modified, signatures will immediately become invalid. The indication that changes have been made will appear when opening the documents in electronic format; it will also appear at the verifier desktop. Secured Signing solution provides additional unique features to support a valid Digital Signature: Strong SSL encryption for documents sent e-mail validation to prove ownership Signature’s Date and signatory’s local Time Stamp Signature’s purpose (Intent) Secure log-in and activities report Secured access Secured document storage Full signing process audit log Document log Digital signatures that use Personalised X509 PKI Digital Signature technology sustain signer authenticity, accountability, data integrity and non-repudiation of documents and transactions. In 1999, the EU passed the “EU Directive for Electronic Signatures” and on June 30, 2000, President Clinton signed into law the Electronic Signatures in Global and National Commerce Act (“ESIGN”), which made signed electronic contracts and documents as legally binding as a paper-based contract. In recent years, most countries worldwide have adopted legislation and regulations that recognise the legality of a digital signature and deem it to be a binding signature. Many of them have an Electronic Transactions Act in place. These legislations create a uniform standard for all electronic transactions and encourage the use of electronic signatures, giving electronic signatures the same legal effect as pen-and-paper signatures. “Signing documents online with Secured Signing is the online equivalent of the signatories being in the same room together” Rick Shera, Partner, LOWNDES JORDAN Barristers & Solicitors Secured signing service complies with ESIGN, UETA, Electronic Transactions Acts and many more. Some Legislation worldwide: Australian Capital Territory -ELECTRONIC TRANSACTIONS ACT 2001 Australia, New SouthWales (NSW) – ELECTRONIC TRANSACTIONS ACT 2000 Australia, Northern Territory (NT) – ELECTRONIC TRANSACTIONS ACT 2000 Australia, QLD – ELECTRONIC TRANSACTIONS (QUEENSLAND) ACT 2001 Australia, VIC – ELECTRONIC TRANSACTIONS (VICTORIA) ACT 2000 Australia, SA – ELECTRONIC TRANSACTIONS ACT 2000 Australia, WA – ELECTRONIC TRANSACTIONS ACT 2003 Australia, Tasmania – ELECTRONIC TRANSACTIONS ACT 2000 Canada – Uniform Electronic Commerce Act (UECA) China – Electronic Signature Law of the People’s Republic of China Europe – eIDAS New Zealand – Contract and Commercial Law Act 2017 South Africa – Electronic Communications and Transactions Act, 2002 UK – Electronic Communications Act 2000 (chapter 7) U.S. – Electronic Signature in Global and National Commerce Act (ESIGN) U.S. – Uniform Electronic Transactions Act (UETA)- adopted by 48 states Nothing on this page constitutes legal advice.