How do eSignatures Work?

Many eSignatures solutions appear to be simple, but taking a look under the hood reveals a complex set of technologies that ensure security and compliance. In the digital world, one of the major threats is identity theft. Identity theft can lead to a falsification of documents that would endanger the victim of the action. As more and more contracts are executed digitally, it exponentially exposes all parties to forgery and identity theft. To contend with this reality, companies have developed secure methods that can protect both the parties involved and the contract itself from being falsified by adding digital encryption.

How a legally-binding eSignature is built

To create an eSignature solution that carries legal weight, engineers must make use of public key infrastructure (PKI). PKI allows for the authentication of users and devices online by technological means. The parties involved are able to securely and digitally sign documents that guarantee that a cryptographic key belongs to a particular party. The key serves as an identifier of the user in a digital environment. Users, programs, devices, components, manufacturers and many other things that can be associated with keys are known as entities. A PKI establishes the connection between a key and an entity in a secure way. The structure of PKI is made of the following elements:

• A Public Key Certificate, also known as a digital certificate: Proves ownership of a public key.
• Private key tokens: Enable the secure generation of private keys
• Certificate authority: An organization that validates the identities of various entities
• Registration authority: An authority that validates user requests for a digital certificate and directs the certificate authority to grant it
• Certificate Management System: A system that manages the entire lifecycle for certificate issuing, inspection, renewal, and more

The PKI allows for the secure management of eSignatures by creating two mathematically linked keys: a public key and a private key. The public key is available to those who are authorized to validate the authenticity of the eSignature. The private key remains hidden to everyone besides the signer of the document or contract. Encrypting and decrypting eSignature data relies on both the sender’s and receiver’s public and private keys. This security relies on the trust that the sender’s private key has not been shared with anyone else. By using PKI, the developers of the eSignature solution ensure that the technology meets the requirements of certificate authority (CA), which is upheld by organizations that are responsible for guaranteeing key security integrity. The CA uses a cryptographic key for signing these documents, which are known as certificates. Once the signer of the document provides his or her electronic signature, a cryptographic hash is created as a kind of digital fingerprint. When a signatory provides an electronic signature, a cryptographic hash is created for the form or document, which serves as a unique digital fingerprint. The sender’s private key then takes the cryptographic hash and encrypts it, then stores it in a secure HSM box. It is added to the document and sent to the recipient with the sender’s public key. Using the sender’s public key certificate, the recipient is able to decrypt the encrypted hash. On the recipient’s end, a new cryptographic hash is generated. The two hashes are compared to validate the eSignature’s authenticity, and demonstrate that no tampering has taken place. There are three different classes of digital signatures, each with their own level of security and legality.

1. Class I signatures: Provide a basic level of security for low-risk environment, and are not legally binding for business documents
2. Class II signatures: Authenticate a signer's identity against a pre-verified database. Used for a moderate risk environment, such as income tax returns.
3. Class III signatures: Require a person to present in front of a certifying authority to prove identity before providing a signature. This is reserved for court filings, e-tendering, e-ticketing where a data breach can have significant consequences.

Lightico’s digital signature solution

Lightico’s eSignature solution is unique in that it enables users to sign from their mobile phone, ensuring greater efficiency and turnaround time thanks to the location independence it provides. Businesses simply send a text message link to the customer’s smartphone, which opens up to a secure environment where documents and forms can be uploaded and reviewed, and signatures can be provided, all via smartphone. The Lightico solution provides the highest level of eSignature protection by using trusted CA and tamper-proof, time-stamped audit trails. It exceeds even the high standards of the ESIGN Act, as well as international equivalents.

The bottom line

Digital signatures not only prevent impersonation, but provide evidence of an electronic message’s origin, identity, and status, as well as the signer’s informed consent. Lightico is an eSignature solution that combines a highly efficient, intuitive mobile signing experience with the most stringent compliance measures in the industry.