A Digital or Electronic Signature is a wonderful thing. It enables us to digitally sign a document in an instant, reduces the amount of paper needed and allows us to speed up signing processes significantly. No more printing, documents, chasing whoever is responsible in your workplace to get a wet signature on multiple copies of a document, including an initial on every page.
That is all great, yet will that digital signature remain valid forever? Can it be trusted indefinitely and aren’t hackers able to tamper with digital signatures and create documents with a forged digital signature? These are all very valid and important questions to ask, and a particularly important aspect of this question is the “when?”. Immediately after signing a document digitally with your eID card for example, you can be sure everything is ok. But what with a document you sign today but which still has a legal purpose in 5, 10, 20 or even 50 years from now?
Therefore, not only the actual digital signature needs to be secure, but the security and storing a digital signature is possibly even more important.
In this article we’ll go more in depth on the technical implications and reasons why the preservation of a digital signature is of key importance.
How exactly does a Qualified electronic digital signature work?
We will use the example of signing a document with your eID. Assume you received a contract to be signed from your bank and you’ll sign it using your favorite pdf reader software. When you choose to sign the document:- The software will calculate the cryptographic hash on the data to be signed.
- Next the software will ask to provide the eID card to generate a signature
- The software asks the user to put in the pin code (2-factor authentication)
- The card generates the digital signature on the cryptographic hash of the document
- The application collects the digital signature provided by the eID card
- The application stores the digital signature, for example embedded in the document (pdf)
- The secure hash calculated on the document.
- The asymmetric encryption using PKI technology used by the eID card to generate a signature
- The use of certificates (e.g., X.509v3 qualified certificate) for generating a qualified advanced signature.
QeA: Why does preservation matter?
When receiving a digitally signed document, it is possible to check the validity of the document and digital signature. If the signature validation is successful, then we can assure ourselves that the document hasn’t been changed after the signature and that we can identify who has signed the document. What will we do in 5 years, or 10 or 20 years? We can try to validate the signature again, however, there is a good chance that the certificate used in the signing process is expired. At this point we can no longer do a correct validation of the signature. What if the document was signed with an eID which has been stolen after signing? The certificate will be revoked, and you can no longer validate the signature. What if a cryptographic weakness was found in the cryptography used and it is now possible to create fake signatures. Can you still trust signatures making use of that technology? In this case you should assume that all signatures affected by that weakness are no longer valid. Anyone could generate fake signatures and provide you with so-called signed documents Either way, no matter what technology used, there will be a time when the validity of a signature can no longer be validated. This is where the preservation of digital signatures (and documents in general) becomes important. Fortunately, there are solutions to the problem.Evidence creation
As soon as you validate a digital signature you know you have a document that has been signed and can serve as legal evidence. As discussed, the act of validating the signature in the future will at some point become impossible. Either in the long term (certificate expiration) or in an unpredictable timeframe (cryptography algorithm broken or certificate revocation). As such it is important to log the act of validating the signature itself. This means that at the time of validating the signature it is important to log the time of validation and storing this with the validated document and signature. Obviously, it is not enough to just write down a note saying the document and signature have been validated as this would easily be forged or added later. Again, it is needed to prove that this has been done. Proving that you have actually done the validation can be done using a Qualified Timestamp.Qualified Timestamp
Timestamping a document is the process where a date and time (timestamp) are bound to that document. The date and time are requested from a qualified timestamp provider. This is a trusted service provider that guarantees providing an accurate and correct timestamp. Similar to when signing a digital document, the steps are as follows:- A cryptographic hash of the document is created
- The cryptographic hash of the document is provided to the timestamp authority
- The Timestamp authority signs the cryptographic hash including the actual time of signing
- The signed result is provided back to the submitter.
Is a single timestamp enough?
No, it is not. Just like with the digital signature itself, the validity of a timestamp can be questioned over time. Again, it is making use of cryptographic algorithms which may be broken over time. The Qualified Time Stamp Provider is again using certificates to sign the hashes. As we know, certificates expire and can be revoked as well. Therefore it is needed to repeat this process over time and timestamp documents on a regular basis as time goes by. If we keep timestamping the documents again, the additional information of previous timestamps we actually create a chain of evidence records that provide undeniable evidence that those documents haven’t changed over time. It is critical to not just timestamp the document itself over and over again, but to always timestamp the previous result. Therefore, we create a hash over all previous information, including it in the evidence chain. With new timestamps in the future, we can upgrade the cryptographic algorithms and make sure all certificates used by all parties involved have an expiration date sufficiently in the future we can protect ourselves against the problems that we already discussed. i.e., the cryptographic algorithms being compromised, or certificates expiring or being revoked. Compiling this kind of evidence chain allows us to prove that at every point in time we can prove the document hasn’t changed over time and we have used cryptographic algorithms that were state of the art at the time of creating the evidence record.Qualified electronic Archiving
It is clear that all the steps discussed to correctly preserve a digital signature is a process that is not trivial. This is where a QeA solution shines. As the receiver of a digitally signed document, it is important to have the document ingested into the archive as quickly as possible. As soon as a digital signature is preserved by the archive, you can rest assured that:- The document is stored correctly
- The signatures in the document are validated
- All relevant information is timestamped correctly upon ingest
- Timestamps are renewed at regular intervals before problems with encryption or expiring certificates become an issue.
- The digitally signed data
- The digital signature on the data
- A proof of validity of the signature (timestamped signature validation report)
- Timestamp renewals before the validity of earlier timestamps can be questioned.
Legal Framework
A QeA is not only a technological solution but is also backed and defined by a strong legal framework to guarantee the authenticity, integrity, and then trust for all the preserved records. The need for long-term preservation is acknowledged amongst others in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market [i.2], as can be seen in recital (61): “This Regulation should ensure the long-term preservation of information to ensure the legal validity of electronic signatures and electronic seals over extended periods and guarantee that they can be validated irrespective of future technological changes. “ In general, qualified preservation of digital signatures is implemented in the EU and worldwide laws, standards, and regulations. The most common and proven standards are the following:- ETSI TS 119 511: Policy and security requirements for trust service providers providing long-term preservation of digital signatures or general data using digital signature techniques.
- ETSI EN 319 401: Electronic signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers.
- eIDAS Regulation:
- Article 34: Qualified preservation service for qualified electronic signatures
- Article 40: Validation and preservation of qualified electronic seals