/ home / security / digital signature

Digital Signature

The digital signature based on asymmetric key cryptography (public and secret) has been widely acknowledged as the best qualified instrument, at the current state of technology, to guarantee the integrity and the origin of electronic documents, and thus to perform the function accomplished by the handwritten signature in traditional paper documents.

The digital signature is regulated by Italian law and in particular by Presidential Decree no. 445 of 28/12/2000 (Consolidation Act on administrative documentation) – Official Gazette no. 42 of 20/02/2001 and by Prime Ministerial Decree 13/01/2004 (Technical Regulations for the formation, transmission, conservation, duplication, reproduction and validation, even temporal, of electronic documents) – Official Gazette no. 98 of 27/04/2004.

General regulations concerning electronic signatures have recently been integrated by Law Decree no. 10 of 23/01/2002 (Implementation of the Directive 1999/93/EC relating to EC framework for electronic signatures) – Official Gazette no. 39 of 15 February 2002 and by Presidential Decree no. 137 of 7/4/2003 (Regulations containing coordinating provisions on the subject of electronic signatures pursuant to Article 13 of Legislative Decree no. 10 of 23 January 2002) – Official Gazette no. 138 of 17/06/2003.

In the case of handwritten signatures, it is the graphic symbol and therefore the handwriting, recognized as unique trait of the individual, that constitutes the element by which it is possible to establish the signatory’s identity.

As the digital signature cannot reproduce this particularity, a third party, established and acknowledged for the purpose, is called into play, and that third party is the Certification Authority (C.A.). The role of the Certification Authority, as provided for by law, is to guarantee and make public the association between each party in a position to append his digital signature and the relative public key certificate by which it is possible to recognize and validate the identity of the signing party.

UniCredit has chosen Actalis S.p.A., a reputable certifier adhering to regulations in force, as Certification Authority.

The Signature Process

Preliminary Steps

The digital signature process requires the user to complete a series of steps in order to prepare the keys to be used in the cryptographic system on which the signature mechanism is based, and in particular it is necessary to:

  • register the user with a certification authority (CA)
  • create a pair of keys SK (Private key) and PK (Public Key)
  • certify the public key and have it published in the official register.
  1. Registering the User

    2. Registering the user with the Bank (which performs the role of Registration Authority) fulfils the twofold purpose of allowing the CA to be certain of his identity and of establishing a safe channel of communication with the user through which one can exchange the public keys of which certification is requested.

    Registration occurs by way of the following procedure:

    • the user applies to the Bank for registration supplying the documentation necessary to ascertain his identity,
    • when the validity of the request has been verified, the Bank provides the user with an identification code which it guarantees to be unique;
    • the Bank, using a safe channel, supplies the code which the user must use to request certification of the keys.

    Once registration is complete the user shall receive a kit containing:

    • a Token for digital signature to be connected to the computer
    • an envelope containing the smart card PIN (Personal Identification Number ) and PUK (Personal Unblocking) codes
    • a CD Rom with the software required for digital signature use
    • a software licence
    • instructions for installation
  2. Creating the Pair of Keys

    3. The users (signatories), using the programme supplied with the kit, create a pair of keys. One of these, the one to be used for cryptographic operations and hence to create the signature, shall be kept secret, shall perform the function of private key and shall be stored on a Token, to which access shall be protected by a password chosen by the holder.

    The other, intended for be used for verification, shall be made publicly available through certification and shall therefore act as public key.

  3. Certifying and Registering the Public Key

    4. The purpose behind certification of the public key is to reassure any person receiving a correctly signed document as to the identity of the person appending the signature, namely the holder of the certificate.

    The operation involves three stages:

    • The user forwards an application for certification of the public key created in the previous phase to the CA.
    • The CA produces the certificate and signs it digitally in order to guarantee its origin, which may be ascertained by anyone
    • The certificate is registered and forwarded to the applicant who then becomes full holder.
    • Once the certificate has been issued, it shall be made publicly available in one or more catalogues to which access may be gained by anyone having cause to ascertain the validity of a digital signature.

Signing of Documents

Once these operations have been completed the user shall be able to “digitally” sign an unlimited number of documents by using his private key for the full duration of the public key certification validity period (2 years).

As the expiry date approaches it shall obviously be possible to apply for renewal of the certificate. The certificate’s validity period may be suspended before its natural termination by the cancellation of the certificate itself, which may be effected upon holder’s request (when for example he believes the secrecy of his private key to have been compromised) or upon CA initiative.

The signature process involves a sequence of three operations:

  • creating the message digest of the document to be signed,
  • creating the signature through encryption of the message digest,
  • appending the signature to the document.
  1. Creating the Message Digest

    2. A hash function which produces a fixed length bit-string shall be applied to the text to be signed. The hash function guarantees the uniqueness of the string, so that two different texts cannot match the same message digest.

    The advantage of using the message digest is twofold: firstly it means that in order to create the signature it is not necessary to apply the cryptographic algorithm to the entire text, which could prove extremely time-consuming. Secondly this mechanism allows a reliable third party to authenticate the signed document, without acquiring knowledge of its contents.

  2. Creating the Signature

    3. Creating the signature simply consists of encrypting the digital message digest created beforehand with the private key. In this way the signature proves to be linked on one hand to the signing party through the private key used to create it and on the other hand to the signed text through the message digest.

  3. Appending the Signature

    4. The digital signature created in the previous step shall be added to the document in a pre-defined position; the value of the digital message digest and the reference to the certificate from which it is possible to retrieve the value of the signatory’s public key shall also attached.

Signature Verification

The next step is to verify the validity of the certificate, relating to the signatory’s/signatories’ public key, obtained from the public register administered by the Certification Authority.

This is followed by verification of the digital signature, which is effected by recalculating the value of the message digest, using the same hash function used in the signing stage, and checking that the value obtained matches the one received to decrypt the digital signature.

back back             forward forward