ACADEMY: E-SIGNING Taking Signature Security Seriously
  • Print
  • Share

ACADEMY: E-Signing - Security Aspects

The security of an E-Signing Solution always needs to be judged in investigating all processes and identifying the potential weakest link. Hence we recommend a comprehensive approach which neither limited on judging the hardware or software only but always together.
Another key is the compliance to Laws Standards

Security Comparison of P-Signing and E-Signing

"P-Signing" is Signing on Paper.  Many people are reluctant to give up paper however they often do not keep in mind the security loopholes of their existing processes, e.g. "Sign & Fax". However some faxes may sit for hours awaiting delivery at a common machine where documents are easily accessible by anyone. Some documents are faxed multiple times to get all the required signatures. They may become illegible and unreadable.

Encryption

SOFTPRO SignDoc is following the same security principles for encrypting and hashing as applied for Qualified Electronic Signatures. The algorithms used are based on the recommendations of the Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway ("Bundesnetzagentur"). The agency is a separate higher federal authority within the scope of business of the German Federal Ministry of Economics and Technology. Every year they publish an overview of the algorithms and related parameters considered suitable for generating of signature keys, hashing signed data or creating and evaluating Qualified Electronic Signatures, along with the time until which the suitability is valid.Federal Network Agency (Bundesnetzagentur): Suitable Algorithms

Security Certificates

Several SOFTPRO solutions carry quality test marks as “Approved Software” or “Approved App” issued by a reputable independent testing agency.

The German Technical Inspection Association (Technischer Überwachungs-Verein, TÜV) validates the safety of products as independent consultants. Within the TÜV group TÜV Saarland has a special reputation for outstanding expertise in testing solutions for telecommunication and information technology. The technical and legal assessments required to certify software and apps are executed by TÜV Saarland subsidiary Tekit Consult Bonn GmbH. This company is familiar with electronic signature solutions that leverage digitized handwritten signatures for several years. Tekit Consult Bonn has an unrivaled expertise in testing E-Signing software and hardware. TÜV Saarland Tekit Consult Bonn VdTÜV - Head Organization of all Technical Inspection Assoiciations

The certification process consists of numerous tests whether an app is both easy and safe to use and if data protection requirements are met.
  • Rating the security level of the solution is based on various manipulation attempts: Among these tests are attempts to sniff sensitive data, checks if the app has backdoors, or whether there are security loopholes when data is transferred or stored. The security of administration and rights management is the topic of another assessment. Another detailed inspection deals with the procedure for updating the software.
  • Tekit also verifies if current safety recommendations made by the Federal Office for Information Security (BSI) and the IT industry association BITKOM were taken into account in the current app version, for example, by using adequate encryption methods.
  • The quality of operating the software is evaluated according to standard DIN EN ISO 9241-110. Part of this process is to test features for help and support when installing and operating the solution and if the solution may be declared as self describing.

Key Results of the Security Test

After carefully testing SignDoc Desktop SignDoc Web SignDoc Mobile Tekit Consult Bonn confirms - on behalf of TÜV Saarland - that in these solutions
  • data cannot be manipulated during the signing process
  • attempts to sniff data from the communication between caoturing device and the software do not result in recording any reusable data but just plain "junk bits"
  • tampering in signed PDF documents may be detected
  • validating the integrity of a PDF document is possible for anyone using standard PDF viewers like Adobe Reader

SignDoc Desktop TÜV Certificate [PDF] 0.45 MB
language: EN DE

SignDoc Web TÜV Certificate [PDF] 0.44 MB
language: EN CN DE

SignDoc Mobile TÜV Certificate [PDF] 0.97 MB
language: EN CN DE

Quality Seal "IT Security made in Germany"

Companies carrying this seal share a specific dedication for excellence in secure IT products and outstanding data protection of data. These values reflect the German passion for technology as well as honouring the privacy of IT users whether as a corporate or a private user. The criteria are defined by TeleTrusT, the leading European association for IT security. Screening potential candidates for this quality seal and monitored existing ones is one of the many tasks of the working group "IT Security made in Germany".

In displaying this seal SOFTPRO declares to comply with the following value propositions uniting companies working under the umbrella of "IT Security made in Germany"
1. providing trustworthy IT solutions
2. offering products without backdoors ("hidden access for third parties")
3. being headquartered in Germany
4. having research and development centered in Germany
5. complying with German laws and regulations for data protection

One of the examples confirming SOFTPROs commitment to trustworthy solutions is documented in the certification of some of its solutions by the German Technical Inspection Association Group (Technischer Überwachungs-Verein, TÜV) .

The seal was established in October 2011. SOFTPRO was one of the first successful applicants. For aditional information see the website of 
IT Security made in Germany  
Note: The initiative "IT Security made in Germany" (ITSMIG) was transferred from an independent organisation into a working group of TeleTrusT in 2011. Some of the recent changes are not reflected on the webpage of ITSMIG.