About EDS

About electronic digital signature (EDS)

What does a file signed with electronic signature look like? How can you find the signature in the file and verify it? Even those who must use electronic signatures in their work according to the legislation ask questions like these quite frequently.

In fact, this is very simple. If this is the question of transmitting a signed file, the addressee receives two files - the file being transferred and signature file.

The addressee can read the transmitted file in any case but he can verify its integrity and authorship only if he has a mechanism (a device or software) for verifying electronic signatures as well as the sender's public key.

When the addressee receives mail signed by electronic signature (in contrast to an attachment), the mail software will inform him that the mail is signed as well as about the signature verification results.

The very signature verification process is similar to verifying a regular signature on a paper-based document.

It is evident the fact that the message contains a signature does not mean anything. In addition to being signed, the document must be signed by the person authorized to sign it. If you sign an order to be issued by the general director of the company you are employed with, the order is unlikely to take effect if the general director did not sign it. To make sure the document is signed by the person authorized to do so, you need to compare the signature with his or her reference signature (preferably, with the signature from his or her passport). Thus, it is necessary to produce the passport (at least, for the first time).

Electronic signature is a result of cryptographic transformation involving both data from the document being signed and user's data. Therefore, electronic signatures from two different documents will never be the same, and it is no use to compare them with the reference signature. So what shall we do?

This means that to verify an electronic signature, we need to compare something permanent instead of comparing the electronic signatures. It is the user's information that is permanent. However, if you disclose it in full, this would mean you bring to nothing all efforts to ensure safety. That is why a key pair comprising a private and a public key is used as the data for electronic signature. That is, the user's data comprise a private part, which is involved in the signature generation and is not disclosed to anyone, and a public part, which is used to verify the signature.

However, this brings up the question: how can we bring together the public key and the user if there is nothing in the key to define the user? We need a "passport" saying "this public key belongs to this user." Digital certificates act as such passports.

The certificate is installed on the computer only once, and after that all signatures forming a part of mail received from the given user will be verified using the certificate, and the recipient can see whether the signature is valid or invalid.

Certification Authorities (CAs) can act as a third party confirming the relation between the user and his or her public key. SHIPKA PCDST enables you to obtain certificates from certification authorities.

You can use self-signed certificates for private use - to organize secure data interchange by email inside a closed group of people. In general, to rely on the certificate it is enough for the recipient if the sender confirms that it is actually his or her certificate.

To verify the signature of a file but not the email message itself, the sender and recipient must share their public keys in advance. In this case, the recipient will be able to verify the signature using the sender's public key. SHIPKA PCDST features the key export/import option.

Where are the "bottlenecks" in this case? The key pair must be of "high quality" (meaning that no unauthorized persons can read it), the private key must be stored in a safe manner, and the signature generation/verification algorithm must be carried out correctly and under the conditions preventing unauthorized persons from corrupting it.

As it is the case with encryption, SHIPKA provides all this because it is an independent computer designed to encrypt and sign your data.