How secure are electronic signatures?
The most secure form of electronic signature in terms of both handling and encryption is the qualified electronic signature (QES). There are various protocols that guarantee this security. Learn more in this article.
How qualified electronic signatures are protected
The security and trustworthiness of an electronic signature depends on more than just the encryption technology used. The signature provider and the identity verification process also matter.
Only official trust services providers like SwissSign are permitted to offer qualified electronic signatures and carry out the required identity checks. Providers must meet the strict requirements of the Federal Act on Electronic Signatures (ESigA) and provide evidence of conformity in regular audits.
The purpose of identity verification is to make sure that a person is actually who they claim to be. Anyone who wants to sign with a qualified electronic signature must first have their identity verified. This way, the signature can be definitively attributed to a specific person with a verified identity.
Two-factor authentication (2FA)
When a document is signed with a qualified electronic signature, the signature must be confirmed by a second factor. For example, in the signing room of SwissID Sign, the signatory may be asked to approve their signature through the SwissID App by providing biometric data in the form of a fingerprint or facial recognition.
One common misunderstanding about the encryption of electronic signatures needs to first be cleared up. Encryption comes up in the context of "digital signatures", which is not a synonym for electronic signatures. Rather, it is a technical term for an encryption process. Electronic signatures are encrypted using asymmetric cryptography. This guarantees their authenticity and integrity.
- Authenticity: the signature was created by a recognised sender and is valid.
- Integrity: the signed document has not been changed subsequently.
A brief explanation of encryption
When something is encrypted using asymmetric cryptography, the sender creates a unique private key. The recipient receives a matching public key. This key pair is what enables encryption and decryption. In the case of the electronic signature, what is known as the hash value – a cryptographically generated fingerprint of a document – is stored in encrypted form. The private key is applied not to the document itself, but to its hash value. This makes it possible to prove without any doubt when a document has been manipulated, i.e. changed after the fact.
Unlike handwritten signatures, qualified electronic signatures are not verified by the appearance of the writing, but by a mathematical procedure. Every qualified electronic signature is furnished with a digital certificate assigned to a specific person. Validation checks whether the signatory holds the appropriate digital certificate and whether the certificate was issued by an accredited certification authority.
How to tell if an electronic signature is valid
Option 1: Adobe Acrobat Reader
If a PDF contains electronic signatures of a member of the Adobe Approved Trust List, Adobe Acrobat Reader will automatically check whether the signatures are valid when it opens the document. You will see one of the following two messages:
- "Signed and all signatures are valid."
- "There is a problem with at least one signature."
You can also display the signature properties. These contain at least the following information:
- Name of signatory
- Time of signature
- Whether the document has been retroactively changed
- Details about the certificates of the issuer and signatory
- Whether the issuer is a member of the Adobe Approved Trust List (green check mark)
Option 2: Swiss Federal Government’s Validator service
As an alternative to Adobe Acrobat Reader, you can also use the Validator service of the Swiss Federal Government. It checks documents with respect to two points:
- Authenticity: Is the electronic signature valid according to ESigA?
- Integrity: Is the signed file unaltered?
To use it, simply upload the document to be verified to the tool. You will be shown a summary of the document review:
- Has the document been altered since the time of the last signature?
- Are the signatures valid according to ESigA?
- Are the certificates valid and have they not been revoked?
- Are the timestamps valid according to ESigA?
Can an electronic signature not just be inserted as a screenshot?
Of course, it is possible to take a screenshot of an electronic signature and insert it into a document. At first glance, it may look as if the document has been properly electronically signed. But a closer look quickly shows that the signature is not (legally) valid. Neither Adobe Acrobat Reader nor the Validator will recognise the signature, since it consists only of the visual element and is not a "genuine" electronic signature. It therefore cannot be validated.
As the points above illustrate, a qualified electronic signature is highly secure. It is difficult to falsify and its validity can easily be checked in a few steps. However, it is important for the documents to be digitally filed and stored. They can only be validated in digital form.