Texts from the fourth century depict merchants of Old Babylonia displaying commerce trust through a handshake. Later on, socially accepted rituals were replaced with symbols. These symbols can be found as early as 335 B.C. on the Dead Sea Scrolls where, in the book of Isaiah, Rabbis signified readership of the text by marking it with their personal symbol combination. As one can imagine, these symbols were easily imitated, so the practice was augmented with a hand written signature. At present, many legal and regulatory contracts are still bound with a hand written signature.

However, more businesses are realizing the efficiencies of a purely electronic workplace where the handwritten signature is not an option. Digital documents or laboratory information which must be signed as explicitly designated for compliance purposes, therefore must be queried, oriented into an A4 or letter format to be printed, and then wet-signed. This perpetuates a business model concerned with filing, archiving and retrieval of paper documentation. This is probably not the preferred mechanism for a company striving to be competitive in the global environment. This is where digital signatures gain importance and the good news is that the legal and regulatory bodies have issued guidance in this area.

A digital signature is really an advanced electronic signature. Electronic signatures are perhaps best defined by the compliance organizations as any combination of text, audio and other information represented in digital form that is attached to a record with the intent to sign the record. Digital signature adds an extra layer of confidence that the signed record has not been altered and cannot be repudiated by the signer. The European Directive 1999/93EC as well as the Food and Drug Administration (FDA) under 21 CFR part 11 states that, in summary, an electronic signature must have irrefutable authentication of the owner of the signature and detection of an alteration to the content of the document linked to that signature. It should be noted that the FDA is considering a revision to Part 11, which may loosen their stance on electronic signatures, but dully noted is that German Digital Signature Law (Sig G) becomes even more prescriptive by describing the actual methodology that should be adhered to when implementing electronic signatures. The global marketplace poses many interesting topics when compliance is considered.

If you decide that your business should proceed fully into the digital world, then the first step is cryptography. Cryptography, like identity, has long roots. Kryptos, as taken from Greek means ‘hidden’ and was used in ancient Greece to hide information from unintended recipients. Historians, such as Herodotus, described different techniques on how to maintain confidentiality of classified information. Here, a message would be ciphered using a secret key. The key would be sent to the recipient ahead of time, so that when the message arrived, the recipient could use the key to translate the message back into plain text. The problem with this system is that the secret key has to be communicated over a secure channel and as the Roman’s found out, as well as countless others, a secure channel is slow and difficult to maintain whether it be physical or virtual. Additionally, if the secret key is intercepted by a malicious recipient, then all messages using that key would no longer be confidential.

Modern cryptography uses asymmetric (two distinct keys) systems. In 1976, Williams Diffie and Martin Hellman illustrated an asymmetric system where the encryption and decryption keys are different, though mathematically dependent on each other, yet it is impossible to derive one from the other. This is known as the public key (encryption) and the private key (decryption). Researchers, Rivest, Shamir and Addleman built upon this illustration and invented an algorithm named RSA to perform asymmetric cryptography. Here, a public key is posted on a server and anyone who wishes to communicate to the holder of a private key, must encrypt the message with holder’s public key. Therefore, only the holder can decrypt the message and the information does not need to be sent via secure channel.

This kind of cryptography is the basis for the modern advanced electronic signature or digital signature (details of digital certificates, CAs and PKI will be discussed in the future). Modern digital signatures utilize a summary of the message to be signed to save on computational costs. Here, the signer of a message uses a cryptographic hash function to sign a summary of the original data using their private key. If another party wishes to verify this signature, they must separate the data or message using the same hash function (summary) as the sender did. The party then applies the decryption or public key from the signer to the message, which also produces a summary. If the two summary values are a match then the following is true: 1) The message or data was indeed signed by the signer (authenticated). 2)The message or data was not modified between the signing event and verification, otherwise the summary values would not match.

These two points greatly enhance the robustness of the signature event within the modern digital environment and offer a more effective methodology to protect against fraud, meet compliance standards and allow the work environment to move away from paper with confidence.