Security

Why SigningHub is the most secure way to sign

Advanced Electronic Signatures

SigningHub uses true “advanced electronic signatures” to deliver the level of trust and security that customers ask for in a signing solution – unlike some other providers, we don’t use this term just as a marketing phrase! The legal definition is that an advanced electronic signature is one which is:

  • uniquely linked to the signatory;
  • capable of identifying the signatory;
  • created using means that the signatory can maintain under their sole control; and
  • linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.

Signing solutions from the major vendors use one of these approaches:

  • basic e-signatures only;
  • basic e-signatures + a cryptographic digital signature created using the service provider’s signing key;
  • basic e-signatures + cryptographic digital signatures created using unique signing keys for each user, with each key being under the sole control of the owner. A true advanced electronic signature is one which meets this level.

The following diagram illustrates this point showing a basic e-signature (the blue layer) and a digital signature (the green layer). Most service providers only give you the top blue layer – which offers no security at all; whilst a few vendors add the crypto digital signature green layer – but the issue is that most use a single service provider corporate key to create this digital signature. SigningHub is unique in that is delivers maximum security by not only using the user’s e-signature but then also adding their own digital signature created using their unique signing key:

sign-verify-final_03

This table summarises the major differences in the security provided by these different approaches:

Features Basic e-Signatures e-signature + service provider’s digital signature The SigningHub Approach
e-signature + user’s unique digital signature
Does the solution prevent copying the signature from one document to another, leading to forged signatures?
Does the solution detect any changes to a signed document (e.g. even changing a single character anywhere in the document)?
Does the signature by itself give a clear indication of who signed the document (i.e. without having to rely on the service provider to identify the signer)?
Is the signature created using a means which is under the sole control of the signatory (this helps to deliver the “non-repudiation” service)?
Does the signature contain all the legal evidence to allow independent, offline, verification (i.e. no need to ask service provider to verify etc.)?

For signed PDF documents you can quickly determine if your solution is using unique digital signature keys by verifying the document in Adobe® Reader as shown below. Simply click on the e-signature appearance to reveal the name of the actual signer, shown highlighted below. Other solutions show the service provider’s name here as the signer rather than the actual user!

Adobe-signature-verification-new_03

EU Qualified Signatures

Within the EU the highest signature trust level is called a Qualified Signature. These are the “gold standard” for signatures and as such are automatically recognised as equivalent to hand-written signatures in courts across the EU Member states. Qualified Signatures are similar to advanced electronic signatures however they require the user’s signing key to be held on a hardware-based Secure Signature Creation Device (SSCD), usually a smartcard or USB token, which meets EU-accepted security levels to prevent hacking. Furthermore the user’s digital certificate that uniquely identifies them, must be issued by a Qualified Certificate Authority (CA), these are licensed and recognised by the relevant EU Member State. SigningHub fully supports Qualified Signatures:

Features SigningHub Other solutions
Is the solution capable of supporting Qualified Certificates from any EU recognised Qualified CA?
Can it trust certificates from multiple Qualified CAs at the same time to allow cross-border interoperability?
Does the solution come with a built-in CA functionality which allows an in-house Qualified CA to be set-up if required?  Note to operate a Qualified CA requires the organisation to use a “trustworthy” CA product which has been independently evaluated and certified using the standard: CEN CWA 14167-1.

Adobe® AATL Signatures

When verifying digitally signed PDF documents outside the signing service it is very useful that end-users can trust the digital signatures immediately and avoid seeing messages within their PDF Reader that the signature is valid but the signer’s identity is not trusted. To avoid this issue the signing solution needs to support digital certificates from CAs which are registered as part of the Adobe AATL program. Further details on the AATL program can be found here: http://helpx.adobe.com/acrobat/kb/approved-trust-list2.html

AATL signatures are similar to Qualified Signatures in that they are created using keys and high-trust certificates issued to users on secure hardware devices by AATL member CAs licensed by Adobe. SigningHub also supports all AATL certificates:

Features SigningHub Other solutions
Does the solution support unique per-user AATL certificates?
Can the solution use certificates from any AATL CA?  Can it support multiple AATL CAs (or other qualified or high-trust CAs) in the same instance?
Can the solution use individual server-held AATL certificates (stored in a secure HSM) as well as client-side certificates (stored in smartcard or secure USB tokens)?  

Multiple, Configurable, Trust Points

Certificate Authorities (CAs) issue digital certificates to users to prove their online identity. CAs are operated by government bodies, global and national service providers, banks or any other trusted organisation. A large number of high-trust CAs are in operation across the world. It is important that the signing solution recognises these various different trusted authorities to ensure the greatest interoperability for its subscribers. See how SigningHub compares:

Features SigningHub Other solutions
If the signing solution is a cloud-based service, how large is its recognised CA trust list? 250+ Typically 1 (or <5)
Can new CAs be registered upon request?
Can custom plans be set-up with just those CAs that the customer organisation wants to trusts (rather than the complete list of CAs)?
Does the signing solution provide a built-in CA module if the end-users do not have easy access to a public CA?
Can an organisation have a private CA that shows their brand name?

Flexible User Authentication

Digital identities have become a part of everyday life. People hold digital IDs based on popular social network sites, bank-issued IDs, corporate IDs and also in many countries government-issued IDs. Each of these provides a different level of assurance as to the real-world identity of the owner. The signing solution must be capable of using any of these identities. Of course if the user doesn’t have any existing identities the solution must implement its own identity validation mechanism. This allows the business to choose the right assurance level corresponding to the risk model for that business process. SigningHub has a pluggable authentication architecture, allowing multiple authentication connectors to be set-up based on business needs. Example user authentication options include:

Flexible-User-Authentication-diagram

SigningHub supports all of these methods:

  • No authentication – Ideal when you want to quickly present a document to a user and quickly obtain their e-signature
  • Username & password – The basic level of user authentication and access control
  • Two-factor authentication – A popular technique is to send a One Time Password (OTP) to the person’s mobile phone via SMS
  • External Identity Providers – External identity providers use standard protocols such as SAML, OAuth, OpenID and Radius to confirm a user’s identity. Example identity provider authentication mechanisms include Knowledge Base Access (KBA), mobile authentication, corporate Active Directory authentication, social media authentication and Google Authenticator.
  • Locally-held PKI tokens – The user’s signing key is held within a secure tamper-resistant smartcard or USB token. A good number of countries have issued citizen e-IDs containing PKI signing keys built-in that can be used with SigningHub. Corporate PKI smartcards for physical and logical access control can also be used as can the PIV cards used extensively with the US Federal Agency, Defence and financial organisations.

Long-Term Validation (LTV)

When signing paper documents you implicitly trust the fact that the signature will be verifiable for several years into the future. Similarly in the electronic world, digitally signed documents must be verifiable at a later date. For example, in many jurisdictions and regulated industries, business documents need their authenticity to be verifiable for at least 7 to 10, whilst specialist applications may require verification for 15 or 20+ years. Not all signing solutions are capable of offering a long-term validation capability. This is an area we have invested in heavily by following the latest advanced, long-term digital signature standards as explained below:

Standard Description SigningHub
PAdES Part 2 Original PDF standard, ISO 32000-1. Supports embedded signature evidence information for Long-Term Validation (LTV).
PAdES Part 4 Corresponds with the latest EU Qualified Signature Standards (CAdES-X-Long and CAdES-A). Unique ability to extend the lifetime of signed documents by embedding additional protective timestamps at a later date.
XAdES-X-Long The XML long-term signature format used for Microsoft Office documents. SigningHub supports this when signing Word documents via the SigningHub Word app.
PDF/A ISO standard (ISO 19005) specifically designed for long-term accessibility and rendering of document with no dependency on external references.
IETF LTANS Evidence Record Syntax (ERS) Long-Term Archive & Notary Service (LTANS) is a set of specifications from the IETF for secure long-term archiving .  Ascertia provides both LTANS Server and client functionality and this can be tightly coupled with SigningHub for a complete, long-term secure solution.

An effective signing solution should also meet these business requirements:

  • A separate trusted timestamp should be embedded to provide independent evidence of when each user’s signature was created
  • Trusted independent evidence that the signer’s unique signing key was valid at the time of signing (using OCSP and/or CRL standards) should be embedded
  • The signature of each user in the approval workflow must be verifiable independently using other standards compliant products without having to interact with the signing solution provider’s website
  • Documents should be able to be downloaded, stored locally and verified offline

User Signature Key Location

SigningHub uses unique signing keys for every single user and supports all common storage locations for these signing keys. The choice depends on the legal and policy requirements, ease of use and of course cost. SigningHub defines the allowed locations within your enterprise service plan settings. Different options can be selected for different user groups. Alternatively users can select one option for signing when in the office and a different option when signing on the road. See how SigningHub compares:

Signature Key Location SigningHub Other solutions
Server-held keys – held inside a secure, tamper-resistant, certified, Hardware Security Module (HSM) attached to SigningHub server; or held in encrypted form in the SigningHub database (software mode).
Locally-held keys – held on a secure, tamper-resistant, certified smartcard or USB token which is PIN protected or in encrypted form on a software file which is password protected.  Accessible on Windows, Mac OS and Linux.
Mobile-held Keys – held on a mobile device on a secure, tamper-resistant, certified hardware chip or in a secure software app, in both cases password/PIN protected.

Secure Document Viewer

 A Secure Document Viewer is essential so that user can clearly review what they are about to approve. Within the industry this is called “What You See Is What You Sign” (WYSIWYS) and ensures the user can only sign the document that is presented on the screen. It must not be possible for malicious code to show one thing to the user and get them to sign something else behind the scenes. SigningHub uses a secure document viewer that always shows a flattened image of the document. The user always sees exactly what they are about to sign and always sees what other users have already signed. This is an essential requirement for secure signature and non-repudiation services, the user cannot later claim they did not see the document in its exact final form. The secure viewer also provides data leakage protection options.

In addition to this SigningHub records and embeds a document snapshot at the time of signing within the document itself. With this feature, anyone can see what the document looked like before a particular signature was applied. This prevents signers from claiming they signed a different version of the document. This is a standard feature available within our signed PDF documents, even when verified offline. You can see this option by right-clicking a signature field and then selecting the “view signed version”. A new window opens and shows the document immediately before signing.
Sig-appearence_05

Encryption & Access Control

All user interactions with SigningHub are conducted over a secure TLS / SSL VPN with the highest security options enabled. All information is encrypted between the web-browser and web-server using AES 256-bit encryption to maintain information privacy. As soon as a document is uploaded to SigningHub it is AES-256 bit encrypted at the application layer before being stored in the database. This ensures that document encryption is not under the control of the database administrator. The decryption keys are not available to any user or operator and SigningHub ensures that only the document owner and any users they authorise can review the document.

When the document is shared for review and signature, the document does not leave SigningHub, instead users are notified via email. They use the service plan authentication method to access and view the document using the SigningHub secure document viewer.

The document owner can define the following rules and permissions either manually or by using a template:

  • Who can view the document and in which order, each user is authenticated before being shown the document as explained above;
  • If the document is locked against further edits after signing;
  • If a user can add comments to the document;
  • If the legal notice should be shown before a user can sign;
  • If an additional document access password must be entered a user to see the document;
  • The not before and not after date/time window during which the document is available to each user in the workflow.

Complete Audit Trail

As explained above SigningHub digital signatures contain full evidence information for independent offline verification using Adobe® Reader. In addition to this SigningHub creates a document log. This records all document events together with details of who performed these, at which date/time, the browser type and device operating system and IP address that was used:

  • Document upload
  • Document open
  • Document sharing – Including details on which users were added to the workflow
  • Document signing –  Including where the signer’s keys were located (server, local or mobile), how the signer created their hand-signature, what initials were added if any, what legal notices were shown, what signing reason, location and contact details were added
  • Document completion – Includes information on any post-workflow processing steps taken by SigningHub (for example emailing the completed document to a user or users).

SigningHub is also able to capture all screens shown to the user, all document pages viewed by the user before signing, and even a full screen video of the user signing ceremony.

In addition to this SigningHub maintains logs for all user and administrator activity plus system events.

Enterprise Management Control

SigningHub Enterprise is a product that can be deployed quickly and easily on-premise to provide complete control over the branding, configuration and user and system management options and of course full control over the document and all log data.< /br>
SigningHub Cloud is a multi-tenanted service that still allows enterprises to keep full control of their branding, internal and external users, signing policies and any tight integration options. SigningHub allows one or more enterprise administrators to be set-up to control the enterprise account in the following ways:

  • Manage the enterprise profile, branding and perform centralised billing;
  • Invite users to join the enterprise account and manage their roles, rights and default settings, and also remove users from the system when no longer required. The enrolment and removal of user accounts from the SigningHub system can also be automated through API integration with a CRM or ECM business application;
  • Create workflow templates that define who the signatories are, in which order they must sign, where in the document the signature should be placed, their access permissions, legal notices, initials fields, form field assignments and all other low-level parameters associated with the signing process. End-users can then simply select these workflow templates to automate the document preparation stage instead of manual preparing the document each time;
  • Create user groups (such as finance, sales, HR) and publish these to the user community. Any member of the group can open, review and sign a document sent to them. Clever access controls prevent one user trying to work on a document selected by another;
  • Configure the different notification emails and the events for which emails should be sent.
  • Configure the allowed user signing methods, that is server-side signing, local signing or mobile signing, as well as which signature appearance and e-signature drawing options to use;
  • Manage the central online library of documents and forms for users;
  • Manage configurations related to business application integration on behalf of the enterprise.
  • Manage configurations that control business application integration;
  • Manage enterprise storage space optimisation;
  • Define and optionally enforce the use of particular signing reasons by end-users when signing;
  • Configure one or more legal notices for the end-user community to use in their signature workflows;
  • Manage trusted certificate filters when using local signing to control which type of user certificates are acceptable for digital signature creation;
  • Manage the enterprise password policy.

Secure Algorithms

Since security is our forte, we have hardened SigningHub with some of the most secure algorithms and protocols, including:

  • Secure crypto – SigningHub supports latest cryptographic algorithms endorsed by governments and the banking industry; SigningHub can use either RSA or ECDSA signing, with industry-leading large key sizes e.g. 2048-bit+ for RSA keys. For hashing, the SHA-2 family of algorithms are supported, including SHA-256, SHA-384 and SHA-512. For data privacy we use AES 256-bit encryption;
  • Full certificate validation – SigningHub performs full validation of the signer’s certificate chain and extensions, following the rules of IETF PKIX RFC5280. Our certificate validation engine has been independently evaluated and certified against the latest PKITS test suite;
  • Dynamic path discovery – In complex PKI environments such as the US Federal Bridge PKI, and other bridge CA initiatives, there is a requirement to dynamically build certificate paths for the signer since all the different PKIs are not expected to be pre-registered. To support this SigningHub can perform dynamic path building using a number of standard protocols and has been independently certified as compliant with the US Path Discovery and Validation (PD-VAL) program for its SCVP protocol. This allows US Government issued PIV cards to be used with SigningHub;
  • Online Certificate Status Checking (RFC 6960) – SigningHub supports the real-time checking of the signer’s certificate status to ensure the signer’s identity, role or signing key has not been revoked at the time of signing. The OCSP response is then embedded into the signature for long-term validation. Offline CRLs are also supported (including delta, indirect and partitioned CRLs);
  • Trusted Timestamping (RFC3161) – As part of each user’s digital signature, SigningHub embeds a digitally-signed timestamp from a Time Stamp Authority (TSA) to independently prove when the document was signed. Multiple external TSAs including qualified TSAs can be configured or the SigningHub internal TSA service module can be used.

Certifications & Compliance

The SigningHub cryptographic engine has been independently-evaluated and certified to be compliant with the CEN CWA 14167-1. This standard specifies the requirements for trustworthy systems for the issuance and management of EU Qualified Certificates. The SigningHub internal Certificate Authority (CA), OCSP Validation Authority (VA) and Time Stamp authority (TSA) services were all certified. In addition the SigningHub signature creation and verification services are compliant with CEN CWA 14170 and CWA 14171.

SigningHub supports the use of FIPS 140-2 and Common Criteria EAL 4+ certified HSMs, Secure Signature Creation Devices (SSCDs) and Qualified Signature Creation Devices (QSCD) under the new EU eIDAS regulations. We partner with a number of secure hardware vendors including SafeNet, Thales and Utimaco.

SigningHub Cloud is also available as part of the UK Government Software as a Service G-Cloud 6 initiative.

SigningHub Cloud is located in a secure and resilient data centre which has been independently certified under various schemes including:

  • ISO 27001/27002
  • SOC 1/SSAE 16/ISAE 3402 and SOC 2
  • Cloud Security Alliance CCM
  • FedRAMP
  • FISMA
  • FBI CJIS (Azure Government)
  • PCI DSS Level 1
  • United Kingdom G-Cloud
  • Australian Government IRAP
  • Singapore MTCS Standard
  • HIPAA
  • EU Model Clauses
  • Food and Drug Administration 21 CFR Part 11
  • FERPA/li>
  • FIPS 140-2
  • CCCPPF
  • MLPS

If required a dedicated SigningHub system can be hosted in a cloud service provider of your choice. Specialist Public Sector cloud services providers work in partnership with us to deliver the solution via the PSN or Internet.

Contact us for further details on any of these security features.