What are the requirements for a secure digital signature?
Following the current global health crisis caused by the Covid-19 scenario, the digital signature for documents has become more important, since the application of electronic media for our arrangements has also become essential.
The adoption of certain cybersecurity measures and policies to perform our remote work in a reliable way is mandatory at the moment. This is why we have to be aware of which solutions of digital signature are truly reliable and which of ones are actually valid in legal terms.
A secure digital signature must be one that strongly links the identity of the signer to the signed document. At the same time the issuer of the signature is identified and validated and the signed content is equipped with integrity and therefore cannot be altered by cybercriminals.
There is no repudiation and there is authenticity for both the signer and the signed document.
The only way to meet these requirements is by having our signature supported in the cryptographic keys of digital certificates, and these are stored and custodied in an HSM or hardware security module, whose hardware will be more competitive if it is internationally certified, as is the case of FIPS and/or CommonCriteria.
But are all the options called digital signature secure?
Absolutely not. As I mentioned in previous blog posts, we should not confuse what the secure digital signature is, whose keys are not compromised because they are protected in an HSM. However, it is noted that there are still a large number of organizations that continue to perform malpractice in this process, use software-based e-signature, and are therefore more vulnerable to the risk of attacks by cybercriminals.
A great difference between the robust digital signature, named for its cryptographic technology and the electronic signature and the digitized signature, is that the misappropriation of the digital signature can be said to be non-existent; whereas in the cases of electronic and digitized signature, usurpation and impersonation is easier by experienced hackers (for example: imitating a scanned handwritten signature, losing or being stolen a USB with a signature software…). In short, a big difference that either compromises or not, security and trust.
To go deeper into this item, I share the blog posts, Electronic signature and digital signature: synonyms or different concepts? And, Why do we call the digital signature electronic?
It is only the cryptographic digital signature that provides robustness in both legal and technical terms of which protects the digital identity and veracity of the signed document.
In conclusion, if we want reliability, directly related to authenticity and integrity, we must bet on the implementation and use of a digital signature model whose value is the same as if we stamped our own handwritten signature.
In addition, above all, do not think about the use of the digital signature as something transitional due to the current situation, however, be aware of the cost savings, effectiveness and speed that the digital signature brings to our corporate management, whether administrative, commercial … or of any other kind.