Blog - Cryptomathic

Major standards and compliance of digital signatures - a world-wide consideration

Written by Dawn M. Turner (guest) | 07. January 2016

This article introduces the most relevant digital signature standards for global players, governments and banks.
The purpose of digital signatures is to enable seamless transactions between individuals, businesses and governments throughout the world. 

 

The push to develop standards to enhance trust when conducting both national and cross-border transactions prompted concerns for enhanced security methods that would to ensure that digital signatures are both authentic and easy to use. Because of these concerns, countries and groups such as the United States, Switzerland and the European Union implemented strict standards and requirements for compliance regarding the use of digital signatures.

Digital signatures following these standards have the same legal implication as traditional hand-written signatures. Given the strict compliance and security requirements (described below) by the standarizing bodies, digital signatures provide a higher level of security and protection against malicious attacks and fraud than simple generic electronic signatures. 

Digital Signature Standard

The Digital Signature Standard (DSS) was developed by the United States National Security Agency (NSA) and put into use by the National Institute of Standards and Technology (NIST) in 1994. Since July 2013 when DSS was announced under Federal Information Processing Standard (FIPS) 186, all departments and agencies of the United States government have been required to use this standard to protect sensitive unclassified information. DSS makes use of the digital signature algorithm (DSA) to generate digital signatures that are assigned both private and public keys. Only the message sender has knowledge of their private key, while the message recipient can use the public key to verify the integrity of the sender’s digital signature.

eIDAS Regulation

Regulation (EU) No. 910/2014, referred to as the eIDAS Regulation was enacted by the European Parliament in July 2014 and fully adopted by the European Commission by September 8, 2015 as an expansion of Directive 1999/93/EC. The intent of this regulation was to enable seamless and secure electronic interactions between citizens, businesses and governments to promote trust that would help build economic and social development through Digital Single Market. This standard provided a foundation to enable users the ability to safely access services and conduct both online and cross-border transactions with “one click.”

Included in eIDAS is the:

  • Use of national electronic identification schemes (eIDs) that allows citizens and businesses alike access to services, such as health services within other EU member countries that use eIDs.
  • Creation of electronic trust services (eTS) for the European internal market, including:
    • Electronic signatures
    • Time stamp
    • Electronic seals
    • Website authentication
    • Electronic delivery service

These services were assured to work cross borders and be legally considered the same as paper documentation. Armed with these assurances, eIDAS promoted the use of digital interactions for citizens and businesses. 

Maintaining compliance of eIDAS

Under the EU’s Commission Implementing Decision 2015/296, members of the EU are required to cooperate to achieve interoperability and the necessary security for electronic identification schemes. The Cooperation Network was created to assist in this endeavor.

Member States are required to rate their eID systems against the benchmark set by the Commission Implementing Regulation. This rating signifies that level of compatibility and interoperability for each individual member in regards to cross-border interaction.

The Commission Implementing Decision (EU) 2015/1506 provides specifications for using advanced electronic signatures and seals in the government sector. The purpose of this is to facilitate transactions across borders. Read more on eIDAS.

Federal Act on Electronic Signatures, Electronic Signatures Act

Enacted by the Federal Assembly of the Swiss Confederation in December 2003, the Federal Act on Electronic Signatures (ZertES) addresses the requirements for the authenticity of electronic signatures. These requirements state that an electronic signature must:

  • Be uniquely linked to its owner
  • Enable the owner’s identification
  • Be created in a way that gives the owner complete control
  • Detect tampering and alert the owner and recipient if the message has been tampered in any way
  • Be created on a secure device through the use of private cryptographic keys
  • Provide verification through the use of a public cryptographic key
Read more on ZertES

The international perspective

The NIST and eIDAS standards cover the world's biggest domestic markets. The Swiss Federal Act adds an important region with respect to banking and finance.

The Middle East and the Gulf Countries adopt the eIDAS regulation. Also, many South East Asian countries apply eIDAS to formalize their electronic signatures.

Read more on digital signatures...

 

References and further reading

 Image: Nguyen Hung Vu, Flickr