Signature Verification
Mass Verification of Electronic Signatures
AutoVerifier.
A digital signature can be used to achieve integrity (unaltered state) and authenticity (binding association of the message with a person). This is why the verification of a digital signature is critical. It must assure the recipient of the integrity and authenticity of the sender, and it must record this in a verifiable manner. This is especially important for long-term archiving.
What information does a signature contain?
The signature contains information about the signatory, the time of the signature, and other cryptographic data (including the hash value) that ensures that neither the source document nor the signature has been modified without being detected. The signature also contains additional certificates that are required for verification.
What is a certificate?
A certificate is an electronic document used to link a person to the cryptographic information they created. The signatory’s certificate is required to verify the qualified electronic signature. A higher authority, a certification service provider (trust center), has previously verified the identity of this signatory and proved it by digitally signing the certificate. The provider’s certificate required for this was in turn signed in advance by the Bundesnetzagentur (German Federal Network Agency and formerly the German Regulatory Authority for Telecommunications and Post), which holds the so-called “root certificate” as the origin of this certification chain.
What happens when verifying qualified electronic signatures?
The verification software carries out several checks. First, the original hash value is checked for changes to ensure that the signed data has not been altered. The time of signature creation is also checked for plausibility. A signature in the future is therefore not possible. The certification chain is also verified, i.e., the correct connection between the signatory’s certificate and the root certificate of the trust center. If this chain is broken or cannot be traced back to the root certificate, an error message is displayed.
How are qualified electronic certificates verified?
To verify a signatory’s certificate, all certificates including the root certificate are required. The purpose of certificate validation is to prove that the certificate itself, and in particular the identity of the signatory, has not been altered. This way, you know who sent you a document with a qualified electronic signature.
Why is the validity of the certificate checked?
Theoretically, it is possible for the private key used for encryption to become compromised. This could be done by hackers, for example, or if the smart cards used are stolen. This would allow unauthorized people to sign documents in someone else’s name. To provide protection, a revocation service (CLR/OSCP) has been set up for certificates that are no longer secure. These blacklists are checked against the established online connection. Verification is not successful if:
- The document has been altered. Any changes to the document, such as removing spaces or invisible characters, will result in an invalid signature.
- The signature file was damaged during transmission, for example, in the case of an external signature file.
- The certificate used is from an unknown certification service provider.
- All root certificates and intermediate certificates from German and international trust centers must be available for successful verification.
- The certificate has been revoked by the appropriate trust center, the algorithm used has been determined to not be secure, or the Internet connection has been interrupted.
Electronic Signature checked during Verification:
Is the file signed?
Was the signature certificate valid at the time it was signed?
Has the document been altered since being signed?
Is the certificate chain valid?
Is the hash algorithm still secure?
Comprehensive, Server-based Evaluation of Signature Information in Electronic Documents
Our AutoVerifier solution automatically verifies all signed files and generates a verification log in accordance with eIDAS, TR-ESOR, and electronic legal transaction (ERV) laws, and enables comprehensive, server-based evaluation of signature information in PDF documents and other document types of any format, including XML and PKCS#7 or S/MIME.
AutoVerifier achieves a throughput of more than 1000 verifications per hour and meets all requirements of German and European signature laws.
The received signature information can be processed directly in workflow or DMS systems to inform third parties about the document status.
When verifying signatures, certificates and certificate revocation lists (CRLs) can be checked against accredited trust centers or internal PKIs.
With AutoVerifier, you can automatically verify PDF and other documents “on the fly” or in batch mode. AutoVerifier is installed on a central server, providing a centralized location for verifying signatures. It is available as a service in the data center and can be controlled from the LAN via the management console and configured via the web interface:
Built-in web interface for configuration via web browser
Advanced options for creating verification logs, e.g., in PDF containers
Key AutoVerifier Features?
Evidence in court through verification logs
Verification of multiple signatures in PDF documents
Integration of verification results into scan metadata according to TR-RESISCAN
Verification of the validity of qualified and advanced signatures
Verification of electronic seal signatures
Incoming archive verification according to TR-ESOR
The SMTP add-on can also be used to connect to an existing SMTP delivery process. This is a transparent email proxy that receives emails, verifies any attachments to those emails, and then forwards them to the intended recipient. The verification logs are also stored in a directory for internal use.
The verification server can also be accessed through a web service. An asynchronous and a synchronous SOAP interface are provided. The verification server receives the signed files via SOAP call, verifies them, and returns the verification protocol under the same name.
The IsSigned tool can be used as an option. It sorts incoming emails on Linux according to signed and unsigned attachments.
"We discussed the FP concept with the Federal Insurance Office and asked if it was OK. When working in such a sensitive field, you don’t want to make mistakes, because they can be expensive."
Markus Haas, Deputy Head of DSiE Bavaria