Digital Signatures: Today's Challenge
The concept of a signature has been with us for centuries as a means to establish the authenticity of documents. But as paper documents are steadily replaced by electronic documents and as other digital assets such as messages, transactions, digital content, and software proliferate across every type of organization, new types of controls are needed. Electronic versions of traditional signatures and watermarks provide some benefits but lack the security properties to play a role in compliance reporting and support legal challenges. As organizations adopt a more service oriented approach to business processes and integrate with cloud-based resources, they need provably reliable ways to validate the authenticity and integrity of these electronic items; more specifically, they need to attest that these items have not been changed maliciously since they were created. Furthermore, when it comes to digital transactions, organizations need to establish a means of non-repudiation—the ability to hold parties accountable for the transactions they execute. In the end, a legal contract executed online, for example, should be as ironclad as one executed in person before witnesses. To meet these goals, organizations use digital signatures.
Digital signatures go beyond electronic versions of traditional signatures by invoking cryptographic techniques to dramatically increase security and transparency, both of which are critical in establishing a trust and legal validity. As an application of public key cryptography, digital signatures can be applied in many different settings, from a citizen filing an online tax return, to a procurement officer executing a contract with a vendor, to an electronic invoice, to a compliance officer signing an audit log or a software developer publishing updated code.
Multiple technologies are available for creating and verifying digital signatures. While organizations can choose the specific approaches that meet their needs, they will confront a set of common challenges:
- Without effective digital signing solutions, organizations may not be able to take full advantage of efficiencies and cost reductions to be gained by automation of formerly manual processes, causing them to lose competitive advantage.
- Legally accepted standards for digital signatures are constantly evolving, and can vary from region to region and for different applications, so organizations should become familiar with the specific digital signing laws that apply to their processes
- Signatures often need to be validated by different parties than originally signed the item, they need to convey trust across multiple domains, involving the use of trusted third parties
- Many digital signing processes incorporate a timestamp, making the availability of trusted time an important ancillary requirement
Risks Associated with Digital Signatures
- If the digital signing process is not secure, attackers can create fake signatures or misuse authentic signatures, bringing the system—and potentially the organization—into disrepute.
- Failure to maintain adequate documentation and certification for policies and practices associated with digital signing and key management could result in signatures failing to be accepted in any given jurisdiction, thereby negating their value to the organization
- Some digital signing processes can be computationally intensive, slowing down business processes and limiting their ability to scale.
Digital Signatures: Thales e-Security Solutions
Products and services from Thales e-Security can help you create high-assurance digital signing processes that give your organization valuable flexibility in automating, integrating, and hosting critical business processes. By adopting industry best practices and proven technology you can be confident in your ability to stay ahead of the security curve and in your ability to comply with evolving legal standards and regulatory requirements.
Some jurisdictions now require the use of hardware security modules (HSMs) to safeguard digital signing processes. Thales offers proven, independently certified HSMs that meet the highest security standards, provide the capacity and performance you need, and are straightforward to deploy and manage. In addition, our time stamping products provide organizations with a source of trusted time for digital signing applications in which time is an important factor. Finally, Thales also offers a turnkey solution for organizations requiring secure code signing.
- Implement secure digital signing with high-availability solutions appropriate for your most critical processes
- Take advantage of high performance capabilities that can support the most demanding online applications and transaction volumes
- Employ fine grained security controls to enforce policies requiring separation of duties, strong authentication for administrators, and quorum authorized signing operations
- Accelerate deployments—Thales products integrate out of the box with commercial solutions from leading vendors that employ digital signing capabilities
- Utilize globally respected product level security certifications such as FIPS 140-2 to streamline auditing and compliance reporting