How do I know that an electronic signature is secure?

It is completely nonsensical to create a document using office software on a computer, print it out, sign it, fold it into an envelope, and send it or even personally deliver it to the recipient for their signature. And when we receive the signed document back, it also makes no sense to scan it again, save the scan in an electronic repository, and store the original where we usually store documentation. 

The electronic signature - the term "digital signature" is also commonly used - saves us several steps in the logistics described above, as well as time to actually conclude the deal with the client. Of course, in doing so, we often ask ourselves:

Is an electronic signature secure?

First of all, let's explain the concepts of an electronic and a digital signature. To call it an electronic signature, it is sufficient to use any arbitrary electronic (signing) tool and sign it, or for example, sign on regular paper, capture (scan) the signature, and use it for signing documents by pasting it onto the document in an office program. This method is electronic, but it is certainly not secure.

A digital signature represents a form of electronic signature that is based on a complex structure of public keys (Public Key Infrastructure or PKI for short). PKI creates a private and public (cryptographic) key for secure signature management. The private key is a secret data that is known only to the signer, while the public key is accessible to everyone who verifies the e-signature or its authenticity.

When a signer electronically signs a document, they leave behind a unique "fingerprint," a cryptographic hash value. This value is encrypted by a special cryptographic algorithm using the sender's private key, added to the document, and sent to the recipient (possibly together with the sender's public key). The recipient then uses the sender's public key (which is publicly available as part of the sender's digital certificate) to first decrypt the received hash value in the document and simultaneously generate a value directly from the received document (using the same cryptographic algorithm that the sender used to create the fingerprint). Both values (the one obtained by decryption and the one obtained directly from the document) are compared, and if they match, the authenticity of the signature and the absence of any tampering with the document are confirmed.

The Public Key Infrastructure represents a slightly more complex structure as it ensures that the public keys of signers are part of digital certificates and that signers or holders of digital certificates are appropriately (personally) verified. Only in this way can we trust that a public key (and its private pair) belongs to a specific individual. Such a certificate is issued by a certification authority that guarantees, through its signature, that everything is in order and that the key pair holder is identified.

What does a legislation say about e-signatures?

Both domestic and international legislation address the security aspects of electronic (digital) signatures. At the international level, the Regulation eIDAS (electronic IDentification, Authentication, and trust Services) primarily ensures the legal compliance and consequently the security of electronic signatures within the European Union. This regulation defines an electronic signature as a set of data in electronic form that is attached to or logically associated with other electronic data and used by the signatory for signing.

The eIDAS Regulation distinguishes three types of electronic signatures:

• Electronic signature (ES) represents the most common type of electronic signature because it is the easiest to use and does not require any identity verification (such as typing your name at the end of an email) and uses basic e-signing tools.
• Advanced electronic signature (AES) is created based on data for generating an electronic signature, which the signer can use under their exclusive control with a high level of trust. Any subsequent changes to the data are noticeable.
• Qualified electronic signature (QES) is based on a combination of a qualified digital certificate from a qualified trust service provider (certification authority) and a dedicated electronic device or purpose-built signature solution, such as a smart card, SIM card, USB key, or remote signature solution. 

You can electronically sign various types of documents, such as contracts, board documents, insurance policies, bank loan agreements, logistics documentation, medical records, lease agreements, HR documentation, purchase orders, delivery notes, project reports, technical documentation, non-disclosure agreements, handover reports, and more.

However, the choice of which electronic signature to use depends on the type of documentation and the business risk associated with it. For certain documents, legislation mandates the use of a qualified electronic signature, while in cases where you regularly collaborate with someone or have authenticated them in the past, the highest level of reliability may not be necessary.

The higher the required reliability, the more cumbersome the use. In certain environments, it can even be impractical (using dedicated devices), so various derivatives are available that are at least as secure but more user-friendly (remote signature, handwritten electronic signature).

Trust services, including providers of qualified electronic signature certificates compliant with the eIDAS Regulation, are included in a trusted list of qualified trust service providers in the EU.

In Slovenia, parallel legislation to European law exists, which regulates the secure electronic storage of documentary material (Law on the Protection of Documentary and Archival Material and Archives, ZVDAGA). This part of the legal framework provides a basis for converting paper material into electronic format, and if the conversion is trustworthy, the original is discarded, leaving only the electronically created version. In the same way, handwritten signatures can be progressively converted into electronic ones using dedicated signature tablets. If such a signature capture is conducted in a secure environment in accordance with the organizational measures recognized by ZVDAGA (and subordinate regulations) and is securely incorporated into an (electronic) document, it is considered fully equivalent to manually signing a paper document (which is then converted - though the conversion of the entire document is no longer necessary).

Can anyone forge my digital signature? 

As previously mentioned, a secure audit trail is stored behind every digital signature, which includes the entire signing process history and the connection between the person and the e-signature. Certain forms of signature, such as digital signatures, utilize cryptographic algorithms that reliably encrypt signature elements, making it practically impossible to decipher or break the encrypted record. This level of protection is employed by advanced electronic signatures, qualified signatures, and even handwritten electronic signatures created with a signature tablet (and with the help of a qualified signature or seal).

Therefore, the answer is no. Unlike a traditional handwritten signature with ink, which can be imitated by anyone with a bit of skill, no one can forge your electronic signature due to carefully integrated levels of security, authentication, and advanced cryptography. Furthermore, no one can modify a single character of the document without immediate detection.

Of course, the signer must take appropriate measures to ensure the security of electronic means for e-signing. The private key used for (qualified) signing must be securely stored on a dedicated device (and the device itself must be securely stored). When using remote signing or cloud-based signing, the signer must diligently safeguard their access credentials. Typically, the signer receives an email addressed to them with a link to the document. To access the secure vault where the document is located and sign it in a secure environment, the signer must also verify their identity. Various options serve this purpose, depending on the type of signature, the device used for signing (computer, tablet, phone), the required security level (low, medium, high), and other factors. The aim is always to ensure a secure method so that no one else can access and sign the document in place of the signer or on their behalf.

And how does an electronic signature fare in court?

According to European legislation, virtually any verbal, written, and electronic bilateral agreement is binding, and a handwritten signature is not the sole requirement for confirming the validity of an agreement. In the European Union, an electronic signature is legally binding and, if compliant with the eIDAS Regulation, can be used as evidence in European courts.

Therefore, if you have electronically signed a contract with a business partner who fails to uphold the agreement, the law is on your side. As mentioned, a qualified electronic signature has the same legal validity as a handwritten one by default, allowing you to enforce your rights under the contract in court without difficulties. Moreover, the authenticity of the signature can be easily verified due to the audit trail.

Another aspect of the security of electronic signing is the safety of your health. You have probably found yourself in a situation where you had to sign a stack of papers all at once. Electronic signing is also friendly to your wrist.

BetrSign® is a simple and user-friendly e-signing service developed by the Slovenian company SETCCE . It provides you with the option of remote signing with various levels of security, in-person electronic signing at point-of-sale using signature tablets and screens, or cloud-based qualified signing using secure devices and electronic identity cards.

Try it for FREE and experience the security and legal compliance of remote electronic signing today.