Digital signature: how it works and how to get it

Digital signature: how it works and how to get it
The digital signature is the tool to sign digital documents of various kinds, from electronic invoices to company financial statements.

In this article we will deepen the subject, indicating the purpose of using the digital signature, how and where to request it and when you are forced to use it.

What is the digital signature and what is it for

Let's start our guide by specifying that the digital signature is not a simple electronic signature, but a computer based procedure on cryptographic keys, which gives legal value to electronic documents, and is defined as a qualified electronic signature. According to the law, an IT document is "the computer representation of legally relevant deeds, facts and data". It guarantees the identity of the person who signs and the integrity of the document, which, once signed, cannot be modified or repudiated.

As stated in the Digital Administration Code, "the affixing of an integral digital signature and replaces the affixing of seals, punches, stamps, marks and trademarks ". In other words, it satisfies all the requirements of the written signature.

Specifically, we can distinguish between electronic signature, advanced electronic signature, qualified electronic signature and digital signature. The "simple" electronic signature has no legal value, while the qualified electronic signature certifies the integrity of the document. The qualified signature, on the other hand, certifies both the originality and the integrity of the documents, but it is the digital signature that has full legal value.

Therefore, it has the same value as the handwritten signature. It is used to sign and validate contracts, administrative documents, company financial statements, declarations, self-certifications, surveys.

It allows you to save time and reduce waste, reducing the cost of keeping the document; the dematerialization of documents, in fact, helps to streamline the practices of Public Administrations and companies.

The digital signature must have three precise requirements:

Authenticity: in addition to verifying the identity of the person 'has signed, certifies that the document is original and whoever signed it is aware of its content Integrity: the document, from the moment it was signed, has not undergone any modification Non-repudiation: whoever signed the document cannot deny it (can only The signature can be affixed to documents of various formats, including .rtf, .jpg, .txt, .ASCII standard, .xml.

Digital signature: how it works

As mentioned, to work, it uses a mechanism of cryptographic keys. The holder at the time of purchase, obtains two cr ittographic: one public and one private.

The certifier, ie whoever grants this type of signature, assigns a public key, a binary number of 2048 bits, to the applicant. The public key is known to everyone, while the private key is for the exclusive use of the holder.

What the holder encrypts with the private key can be decrypted with the public key.

Let's go into more detail and see how the digital signature works.

The procedure for affixing the signature begins with the calculation of the digital fingerprint of the document, which takes place through the hashing of the document, that is, applying the hash function to the document. The fingerprint is a string of letters and digits, 64 characters long, and is unique for each document: there are no two different files with the same hash print. In fact, it is enough to modify a single bit of the document to generate a different imprint.

Once the document hash has been obtained, we can proceed with the encryption and generation of the signature using our private key. The software sends the document to the environment where the private key is stored, which is activated by a PIN code assigned to the holder; in the case of remote signature, in addition to the user name and password, the OTP code must be generated with the appropriate device. The fingerprint encryption, that is, the hash function, translates into the electronic signature of the document. The recipient of the document can decrypt it using the public key.

The recipient of the document, using specific software, verifies the digital signature and acquires the holder's public key, with which he decrypts the signature string, obtaining so is the fingerprint of the document. The recipient applies the hash function on the document and recalculates the imprint, which must coincide with the original imprint: in this case, there is proof that the document is valid and intact.

How digital signature is used

We have seen how the digital signature affixing procedure works from an IT point of view. Now let's see how to apply the process in practice.

In the meantime, anyone who wants to have a digital signature must purchase a special kit from one of the certifying bodies (the list can be found on the Agenzia delle Entrate website ) or request it from the nearest Chamber of Commerce.

The kit is usually a USB token complete with software; most certifiers also offer the possibility of purchasing a smart card with a special reader. The digital signature can also be affixed through functions such as the generation of OTP codes (One Time Password). Among the kits available we also find the USB OTP, consisting of a USB device and a sim. Each provider proposes its own kit and its activation procedure.

Once purchased, the kit must be activated, following the procedure indicated by the provider. If necessary, software and drivers must be updated. By starting the program, you can select the file to be digitally signed, choosing the format you want: PM7, which contains both the original file and the electronic signature file, the PDF, which bears the signature on the document, or XML. PDF is the recommended format.

It should be remembered that with the purchase of the digital signature, personal identification is required, which can be done by a public official in the Municipality, in a post office or at home, even via web cam. The documents that can be used are different: in addition to the identity card and the driving license, the electronic identity card, the pension booklet, the passport and other documents are valid.

Software for verifying the electronic signatures ensure that the document has not undergone changes, that the certificate is guaranteed by a certification authority included in the public list and that it has not expired or suspended. During the signing phase, you will be asked for the smart card pin (while the recipient will not need it).

By applying a time stamp, we will associate a certain date and time to the document, ensuring its validity during the course weather. The time stamp, therefore, allows you to certify the exact date on which the signature was applied.

Having said that, let's see how one of the most popular signature software, DIKE, is used. After checking that the smart card is perfectly inserted in the reader, click on "Signature". Once the file to be signed has been selected, the p7m Cades signature must be selected from the drop-down menu. Now it's time to enter the smart card pin and click Sign. At this point the software generates a file with the .p7m extension in the folder where the original file is contained. To be sure of the signature, it is necessary to wait for the message "Document signed".




Where is the digital signature used

The digital signature it is used to sign electronic documents and give them legal value: compared to the traditional signature, it gives more guarantees of security and authenticity, it can be used in all those documents that sign a will or a fulfillment: changes of residence, requests for contributions, exemptions from payments, signing of contracts and minutes, responses to calls for tenders and in all cases where it can replace the traditional handwritten signature.

There are also cases in which the digital electronic signature is mandatory: we will deepen in a paragraph ad hoc the topic.

How and where to request a digital signature

To have a digital signature, you must contact a recognized certification body: you can find the list on the Revenue Agency website; alternatively, you can inquire at the nearest office of the Chamber of Commerce. Providers provide various solutions: kits, smart cards plus reader and software, or devices that take advantage of the OPT. Both the kit and the smart card contain a renewable digital signature certificate. The remote digital signature uses the One Time Password system.

The difference between the kits with USB token and reader with smart card and the remote digital signature with OTP is that the USB key can also support the Certificate of Carta Nazionale dei Servizi, does not need a connection to the web and, in the case of an automatic token, does not even require software. The smart card with CNS allows you to access the online services of the Revenue Agency.

As mentioned, when purchasing the digital signature, you must be recognized, even through video; in addition, you must have a valid identity document with you. In the event that it belongs to an order or plays a role in a public body, you will be asked for additional documentation.

Qualified providers: the costs of obtaining the digital signature

So let's see some of the leading qualified and certified providers offering their own digital signature kits and services.

Actalis

Actalis is part of the Aruba group, one of the largest in the sector, and can boast eIDAS certifications and ISO. Actalis offers digital, qualified, remote (i.e. using OTP devices) and graphometric signature services, with different types of kits available to the customer (complete kits, smart card + reader, OTP), with prices ranging from 25 to 60 euros.

Aruba Pec

Aruba's certified e-mail and digital signature service includes kits and OTP devices starting from around 36 euros plus VAT. The available kits consist of a reader and smart card, Aruba Key or the USB token. Aruba also offers the possibility to purchase only the smart card. Among the services, we find digital signature, graphometric signature, massive automatic remote and remote signature.

Aruba is one of the best known companies for IT services, the first in Italy, and can boast over 5 million of customers.

Cedacri

Cedacri specializes in the financial, banking and insurance sector: it can boast various ISO certifications and over 200 customers. Cedacri has been part of the Public List of AgID (Agency for Digital Italy) since 2001 as a Certification Authority. Services include digital signature, remote signature and even biometric signature. To find out about the prices, please contact the company.

In.Te.Sa.

Part of the IBM group, In.Te.Sa offers simple and advanced electronic digital signature services , remote signature and graphometric signature, focusing above all on business customers. The company has been AgID Accredited Certifier since 2001 and Qualified Trust Service Provider under the eIDAS Regulation.

Infocert

Infocert is a brand of the Tinexta Group specialized in dematerialization services, including digital form. Among the digital signature kits, we find the wireless Key and the Business Key. It is also possible to choose remote signature or purchase of the smart card. The identification of the applicant's identity is also available via video. Prices start at 29 euros + VAT.

Poste Italiane

The Poste Italiane group is also part of the accredited certification bodies and offers kits for individuals and businesses, intended for public administrations and businesses.

The costs for the digital signature range from about 25 to 60 euros, excluding VAT.

Zucchetti

The well-known Italian software house Zucchetti offers digital signature and signature services remote for individuals and companies. The costs for the remote signature are around 45 euros plus VAT, while the Business Key costs 60 euros plus VAT. Among the services, we also find time stamps and PEC.



For whom and when the digital signature is mandatory

Not all VAT numbers are required to have it However, there are situations in which professionals and businesses must use it by law.

Electronic invoicing to PA, meanwhile, contemplates the use of certified signature and PEC: in the case of collaborations with municipalities, regions, schools and public hospitals, businesses and professionals must have a digital signature.

It is also mandatory to participate in competitions and public tenders.

Financial statements, deeds and official documents of companies, companies and associations must be digitally signed. Registration in the registers of Auditors also provides for its use. Furthermore, from March 2, 2020, the obligation to digitally sign has been activated for the presentation of practices to the Register of Companies.

In reality, as already mentioned, not only this type of signature can replace in all cases the handwritten signature, but the tendency to dematerialize and save paper will lead everyone to adopt this device. So, especially if you are a self-employed professional with VAT number, having an accredited digital signature is a wise choice, especially in future.







Powered by Blogger.