Recommendations for Providing Digital Signature Services

With the ever-growing number of electronic transactions and documents, the use of digital signatures make it possible to trust and act upon these transactions as if they were printed on paper and signed by a trusted source. Digital signatures are used as a proof of authenticity, data integrity and non-repudiation of communications conducted over the internet. 

This article describes 7 drivers for successful digital signature services.

Digital signing should offer end-to-end privacy with the signing process being user-friendly and secure. Digital signatures are generated and verified through a Digital Signature Algorithm (DSA). A DSA allows an entity to authenticate the integrity of signed data and the identity of the signatory. Because a digital signature can only be generated by an authorized person using their private key, the corresponding public key can be used by anyone to verify the signature. Each signatory has their own paired public (known to the general public) and private (known only to the user) keys.

User Experience

Digital signature services must provide an improved user experience that offers simplicity and the ability to sign legally binding electronic transactions securely.

• Customizable Design - A signature service should have the flexibility to integrate with any application either on the web or a local workstation PC. It should easily integrate the signing process into the business workflow. 
  
  
• Usability - Signature services should be made available for multiple devices and scenarios. It should work on the principle of ‘Anytime, Anywhere, Any device’ access. The signature capability alone is pointless if it is not integrated with client applications to allow for documents, emails, data, etc., to be easily signed by their intended signatories. 
  
  
• Zero Footprint - It should offer a zero footprint solution which does not need middleware or additional client applications on the customer side. 

Security

A prerequisite for the signature to be of value is that the private key used for signing is properly protected and controlled by its owner.

• Local Secure Signature Creation Devices 
  In some Public Key Infrastructure (PKI) implementations, the user has to carry their private key around with them on a smart/chip card or store it on their computer. The physical security and responsibility of the key lies with the individual user, as it is stored on a system or a hardware token, e.g. a smart card. When the smart card is connected to the device, malware or Trojans can take control of the smart card and sign data without the user´s consent and leaving virtually no trace to be used in case of disputes. 
  
  
• Central Server Signing
  In central signing solutions, the user’s private key is stored centrally, the user has to authenticate themselves to the service and sign the relevant electronic document within the server itself. The strength of authentication mechanisms can be easily enhanced depending on requirements. The signature generation process will create a system trace or log on the server. This gives a considerable security advantage to central server signing as centralized trustworthy logging will, by design, never be available to local SSCDs. 
  
  
• Non-Repudiation
  While both handwritten signatures and digital signatures can be legally binding, digital signatures can also ensure the non-repudiation of documents. Non-repudiation is an essential property of secure online communication and digital signatures. It provides proof of data integrity. The recipient of a signed message can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory. This is known as non-repudiation, since the signatory, who has signed some information cannot at a later time deny having signed it.
  
  When a hash of a document or data is encrypted with the public key, only the corresponding private key can decrypt it. On the other hand, when a private key is used to encrypt the hash of the document. Anyone can verify the authenticity of the data with the corresponding public key. In terms of central signing solutions, secure, tamper-evident usage logs also provide further evidence to the support non-repudiation.
  
  
• WYSIWYS Functionality
  What You See Is What You Sign (WYSIWYS) is another property of some digital signature solutions, which establishes trust and confidence. It ensures that the semantic content of a signed message cannot be changed, either by accident or by intent. It also ensures that a message cannot contain any hidden information that the signer is unaware of. 
  
  The signatory will be able to visually inspect exactly what is being signed and all parties can be confident that no unauthorized changes can be made to the signed data.

Simple, Flexible and Cost-efficient

Any central signing solution should be an enabler for offering convenient services while reducing overheads. Digital signature services should provide a simple and fast service for end-users, and offer service providers low per-unit cost and allow them to leverage existing technology. The total cost per user should remain way below compared to legacy SSCD devices.

Make PKI transparent for the end user

To give the best usability, a digital signature service should abstract the complexity of PKI. It should manage the key generation and certificate management process without showing the end user the policies or life cycle management processes. Users should only experience and see the signature concept. Full mobility should be offered to the end-user who need not care about technical issues such as key storage, lifecycle management or middleware installation.

Leverage existing 2 Factor Authentication deployment or tokens

With some central signing services, the user will retain full control over their private signing key from anywhere in the world using strong authentication. Using one common platform that shares the security infrastructure can eliminate the need for users to carry several authentication mechanisms in order to securely authenticate themselves on different websites or applications. 

References and further reading

• Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Asim Mehmood, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, and more
• Selected articles on Authentication (2014-today), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner, and more

• Digital Signature Standard (DSS) definition (2007) by Techtarget  
• Product White Paper: Cryptomathic Signer (2014) by Cryptomathic
• White Paper: Cryptomathic’s Response to Eurosmart Paper on Server Signing (2014) by Cryptomathic