The future of electronic signature

An electronic signature is a proven, reliable, and, importantly, legally recognized way of confirming the authorship and integrity of the document. But, unfortunately, it is not always convenient for users to work with keys and certificates. Try inserting a smart card into your iPad or smartphone. Of course, manufacturers come up with all sorts of tricks like smart cards in the form factor microSD or Bluetooth tokens. But this does not always meet the expectations of the user.

I would like to talk about a more convenient way of electronic signature.

What can be done

Of course, electronic signature is impossible without a certificate. But does the user need to own his own keys in order to use them and, for example, sign documents? Most information security specialists will answer that the user must have the keys and that is the only way he can produce a signature. Until recently, I would have said so myself, until I came across a class of products that provide a cloud signature. Yes, the word “cloudy” is so hackneyed by marketers that, for example, I am always very skeptical of the information where it occurs. However, it is difficult to come up with something else.

The cloud signature server itself performs all the necessary actions. From the user only need to give the necessary instructions. And the most important thing that a user has to do is authenticate.
')
The obvious advantage of this approach is the transfer of the Secure Element from users who are not very well adapted to properly store and use all sorts of smart cards to the server. Here on the server, the key information can be stored under the protection of HSM. This in itself is not much different from storing keys on a smart card or token. But, you see, it is much more difficult to teach all users to properly store key information than to ensure an adequate level of signature server security. In addition, modern HSM out of the box provides good opportunities for proper work with key information.

The issue of user authentication is becoming very acute in this case. There can not do without multifactor authentication. To date, there is already a large selection of strong authentication methods, such as, for example, one-time passwords or biometrics. With proper configuration, strong authentication provides a level of trust to the user not lower than when self-presenting the certificate.

On practice

Imagine that a user needs to sign a document with his digital signature. The user is authenticated on the signature server, providing his login, password and one-time code. Then the user simply sends the document he wants to sign, and the remote server does everything himself. The document is signed by the certificate (in fact, of course, the private key) of this user.

Why is this better?

To dispel doubts, you only need to answer one question: why do we need an electronic signature? And it is needed in order to be sure that it is supplied by the owner and to ensure integrity. The first is successfully achieved by multifactor authentication. Good examples of its use are working with the Internet bank. Integrity, of course, is also ensured by the very signature that the server puts.

Users become more mobile and stop producing all sorts of key generation and certificate updates. The definition of revoked certificates is simplified. No additional time stamping is required. In general, some advantages.

Something similar was already

A similar process with the introduction of Secure Element to the cloud is now observed in the field of electronic payments. Host Card Emulation technology allows you to emulate a payment card on a smartphone without being tied to a Secure Element, as it was before. Secure Element is transferred to the cloud of the bank or the so-called Token Service Provider. This approach greatly simplifies the development of mobile payments and eliminates the need to build a relationship of trust between smartphone makers and banks.