Home > Transmission (gearbox) > Just about the electronic signature. Electronic signature for document flow

Just about the electronic signature. Electronic signature for document flow

Modern business can no longer be imagined without tools such as electronic document management and. This method has a lot of advantages and greatly facilitates the management of all processes in the organization. Modern entrepreneurs increasingly began to use specialized systems to regulate their activities, since they are indispensable assistants in solving the daily tasks of the company. Such software systems automate every process and allow you to streamline all procedures related to documentation.

Functions of electronic document management and its advantages

Production automation is designed to perform the following functions:

  • registration of all internal, as well as incoming and outgoing documents;
  • entering them into the program for subsequent monitoring;
  • confirmation of data authenticity through an electronic digital signature;
  • carrying out reference and information work;
  • write-off of data to file;
  • drawing up various reports on the results of the enterprise’s activities.

The main advantage of such paperwork is that there is no need to spend a lot of time on the approval of any project of the organization by individual employees or management. This is due to the ability to send the necessary information electronically. This method eliminates paperwork.

The electronic document management system must necessarily have a current archive, with the help of which corporate data can be obtained promptly. In addition, it provides a high level of reliability of information storage. The reference and information function makes it possible to select only what is required for at the moment documentation, which allows the company to save significant money on creating a storage facility for papers.

The most important feature is still a more simplified procedure for authenticating data. If information on paper requires the presence of such confirming elements as a seal, date, signature and details of the enterprise, then document flow in electronic form involves the use of an electronic digital signature. The main advantage of digital signature is the ability to use it for several documents at the same time.

Electronic digital signature

This office management tool is necessary to ensure the protection of all documents involved in the activities of the organization. It is represented as a cryptographic transformation of data secured by a private key. Its presence allows you to identify the owner of the signature and helps confirm the authenticity of the information. Legally, such an element of electronic document management is comparable to a handwritten signature, which is affixed on paper.

The main tasks that an electronic digital signature is designed to cope with are:

  • ensuring information security against counterfeiting;
  • identifying the owner of the key certificate;
  • detection of any distortions in the data.

Electronic digital signature Digital signature in document flow has its own peculiarity. It lies in the logical nature of this tool. It makes it possible to authenticate (check for changes), as well as recognize its owner.

How to determine the authenticity of a created signature and what advantages does it have?

In order to analyze its authenticity, it is necessary to identify the authorized person, as well as establish the truth of the information. The only way to do this is by filing a corresponding claim in court, where a thorough analysis of the company’s data and its documentation will be carried out.

The main advantages of using an electronic digital signature are:

  1. Opportunity to establish partnerships with remotely located organizations.
  2. Copies of electronic documents are equivalent.
  3. Automation of each stage in signature development using specialized hardware and software.
  4. Increasing the productivity of company employees.

Despite all the advantages of this element of the system, it also has its disadvantages. Thus, in order to create a reliable signature, it is imperative to use specialized means of legal, organizational and technical support. Technical methods of protection include cryptography methods. They are expressed in the creation of a unique sequence of characters, thanks to which you can not only recognize the creator of the digital signature, but also check the document for authenticity.

Cryptographic protection is presented in the form of data encryption and development unique key for signature. This method is an algorithm with the help of which a description of actions when transforming any information is carried out. As for the key, it is created as the basis for this method.

Classification of data encryption methods

Currently, there are two types of encryption:

  1. Symmetric. It involves transferring a key created by one partner to another. In this case, only one key is required to encrypt and decrypt information.
  2. Asymmetrical. Special mathematical calculations are used. In this case, two keys are developed at once: one of them is used as an encryption element, and the other is used to decrypt the data. The first key remains with the owner of the signature and is called either private or private. The second element can be provided to a large circle of people (employees of the organization).

Use is becoming increasingly common in Russia. And this is not at all surprising, since digital signature is in many cases more secure than the corresponding details affixed with a ballpoint pen or stamp. How is an electronic signature made for a legal entity? How to get the appropriate tool?

Definition of digital signature

First, let's define the essence of digital signature. digital signature? By it we mean the details of a document, similar to those put down on paper with a ballpoint pen, but only made using special computer algorithms.

The main purpose of an electronic signature is to confirm that a document is signed by a specific person. Among others beneficial properties, which an electronic digital signature has, is a certification of the integrity of the document, the absence of any changes in it on the way between the sender and the recipient.

Using digital signatures

In what areas are digital signatures used? Almost in the same way as a regular signature: in businesses and government agencies, in communications with the participation of individuals. An digital signature that meets all the necessary legal requirements is legally equivalent to a signature made with a ballpoint pen, and in some cases, a seal if we are talking about legal entities.

The use of electronic signatures is common in the banking sector: for example, when authorizing in “bank-client” systems, the corresponding mechanisms for the user of a financial product are used. Using the algorithms adopted by the financial and credit organization, the client signs payment orders and makes various applications and requests.

In some cases, digital signature is considered to be an even more reliable requisite than a signature made with a ballpoint pen. This is due to the fact that it is very difficult to forge, and also because with the help of an electronic digital signature, as we noted above, you can check whether changes have been made to the sent files.

Universal electronic cards are beginning to spread in the Russian Federation. With their help, citizens can carry out a large number of various actions. Among these is signing documents on the Internet. How is this possible? In order to use this UEC function, you need to purchase a card reader - a device capable of reading data from a card and transmitting it through special online channels. It is necessary to use a device that supports the PC/SC standard.

EDS structure

How does the digital signature work? How does the document authentication mechanism work? Very simple. An electronic signature itself is a document requisite that can only be affixed by one person (or organization). The corresponding subject of document flow has a single copy of the tool with which the digital signature is placed - this is the private key of the electronic signature. As a rule, no one else has it, as is the case with a unique example of a person's autograph, which he writes with a ballpoint pen. Keys are issued by specialized organizations - certification centers. They may also be accredited by the Ministry of Communications.

You can read the digital signature using a public key, which, in turn, can be at the disposal of any number of people. By using this tool, the recipient of the document makes sure that it was sent and signed by a specific sender. If the public key does not recognize the digital signature, it means that it was not affixed by the person from whom the document should come.

Signing Key Certificate

An important element of document flow is the electronic signature key certificate. It is usually an electronic data source that contains information about the sender of the files. A certificate certifies the fact that the key a person owns is valid. Also this document contains basic information about the sender. The certificate is usually valid for 1 year from the date of its issuance. The corresponding signature element can also be revoked at the initiative of its owner, for example, if he loses control of the key or suspects that it has fallen into the wrong hands. Those documents that are signed without a valid certificate have no legal force.

From a technological point of view, the mechanism for exchanging files when using digital signatures is usually implemented within the framework of some software environment. That is, files are sent and received in a special format using a specialized software interface. It can be adapted, for example, for document flow in the field of tax reporting or for exchanging files between different companies.

A universal system for receiving and sending documents has not yet been created in the Russian Federation, but such work is underway. Its successful completion will make it possible to create a software environment that, theoretically, will be able to completely replace paper document management, since every citizen, along with a personal autograph, will also be able to affix an electronic signature on any documents. Actually, the development of the UEC is one of the first steps in this direction.

But for now, it is possible to put an electronic signature using this card on a limited number of resources. Therefore, electronic signature verification is now carried out in different programs, and their use is carried out by agreement between the sender and recipient of the documents.

It is also quite possible to exchange files outside the corresponding interfaces. In this case, each document can be supplemented with a text insert with a unique cipher, which is created using a private key and read by the recipient of the file using a public one. The document will be recognized if the corresponding algorithms match, and also provided that the certificate we mentioned above is valid.

However, the cipher in question will one way or another be created by a special program. Theoretically, of course, users can develop their own - and this will formally also be considered an electronic digital signature, but in this case there is no need to talk about a sufficient level of document flow security. In large companies, special requirements are usually established for it. The same as in government agencies. Let's study the aspect that reflects the types of digital signatures depending on the level of security in more detail.

Digital signature security levels

It may be noted that sending documents via e-mail is also one of the options for using digital signature. In this case, we are talking about using a simple electronic signature. Its “key” is the password entered by the sender. The Electronic Signature Law allows that this type Digital signature may be legally significant, but law enforcement practice is not always accompanied by the implementation of this scenario. And this is understandable: the password - purely theoretically - can be entered by anyone who knows it and impersonates the sender.

Therefore, the same law on electronic signature determines that much more secure versions of digital signatures can be used in document flow. Among these is a strengthened and qualified digital signature. They assume that their owners have reliable electronic keys in their hands, which are very difficult to fake. They can be made in the form of a special keychain such as eToken - in a single copy. Using this tool and special program a person can send signed documents to the recipient, who can then, using the public key to verify the electronic signature, be able to verify the correct origin of the files.

Specifics of a qualified signature

What is the difference between an enhanced digital signature and a qualified one? Technologically, they can be very similar and use generally similar encryption algorithms. But in the case of a qualified digital signature, a certificate for it is issued by a certification center (from among those accredited by the Ministry of Communications). This type of electronic signature is considered the most secure and in most cases is equated in a legal sense to the corresponding details of a document that is placed manually on paper.

In most cases, a qualified digital signature is required during the interaction of businesses and individuals with government agencies, so the requirements for document identification in such communication scenarios can be very strict. In this case, a strengthened digital signature cannot always satisfy them, not to mention, of course, a simple electronic signature. Accredited certification centers, as a rule, recommend to their clients the optimal type of software with which document flow is carried out using digital signatures.

Types of electronic signatures

So, a universal digital signature capable of replacing a signature on paper at any time has not yet been developed in Russia. Therefore, the tools we are considering are presented in a wide range of varieties, adapted to various file sharing purposes. Let's look at the most common types of communications that use electronic signatures of documents.

EDS are popular, required for the participation of commercial organizations in various auctions (Sberbank-AST, RTS-Tender), as well as for presence on trading platforms, for example, those that are members of the EDS Association. There is an electronic signature adapted for working with databases on bankruptcies of legal entities and facts relating to their activities.

On the Gosuslugi.ru portal, all registered persons are also issued an electronic signature. Thus, public services can then be ordered online - there is no need to submit a paper document to one or another department. A wide range of services is available to citizens; you can even apply for a foreign passport online. One of the options for hardware implementation of digital signatures for use on the Gosuslugi.ru portal is UEC, which we mentioned above.

How to obtain an electronic signature

Due to the absence in the Russian Federation of a unified structure for issuing universal digital signatures, there are a large number of private companies engaged in issuing electronic signatures. They are called, as we noted above, certification centers. These organizations perform the following main functions:

Register users as legally authorized subjects of working with documents when using digital signature;

Issue an electronic signature certificate;

In some cases, they ensure the sending and verification of documents with digital signature.

Thus, if a citizen or organization needs a digital signature, they will have to go to the appropriate certification center.

Documents for obtaining digital signature

How is an electronic signature issued for a legal entity? How to get such a useful tool for business? So, the first thing you need to do is choose a certification center. It is advisable to contact those structures that are accredited by government agencies. A list of these organizations can be found on the website of the Ministry of Communications of the Russian Federation - minsvyaz.ru.

The following basic documents must be submitted to the certification center:

Extract from the Unified State Register of Legal Entities;

Certificates: on registration of a legal entity, on registration with the Federal Tax Service.

If we are talking about obtaining a personal signature for the head of the organization, the mentioned set of documents must be supplemented with a copy of the protocol on the appointment of the general director to the position. If an electronic digital signature is received by an employee who is not a member of the company’s highest management bodies, then a copy of the order on his employment, as well as a power of attorney, is required. Naturally, you will need a specialist’s passport and SNILS.

As we can see, the process within which an electronic signature is issued for a legal entity is not at all complicated. How to obtain an electronic signature for an individual entrepreneur?

Very simple. The following basic documents will be needed:

Extract from the Unified State Register of Individual Entrepreneurs;

Certificates: on registration as an individual entrepreneur and on registration with the Federal Tax Service;

Passport;

If a person who is not in the status of an individual entrepreneur, owner or representative of an LLC wants to receive an electronic digital signature, then all he needs to bring to the certification center is an INN, a passport, and also a SNILS.

Obtaining an electronic signature is usually not a very long process. Many certification centers are ready to provide an eToken key or its equivalent, as well as instructions for using digital signatures within a few hours after completing the corresponding application.

Practical nuances of working with digital signatures

We have studied how an electronic signature is issued for a legal entity and how to obtain this instrument. Let us now consider some noteworthy nuances practical use EDS.

Thus, when organizing document flow between two or more companies, it is advisable to turn to the services of intermediary structures that will help companies avoid mistakes in exchanging files, and also guarantee compliance with all legal requirements regarding these communications. Among the optimal options for executing such agreements is the conclusion of accession agreements, which are provided for in Article 428 of the Civil Code of the Russian Federation.

When organizing document flow between different organizations, it is also recommended to approve the procedure for working with files in cases where the authenticity of the digital signature cannot be determined. For example, this is possible if the electronic signature key certificate has expired.

At the beginning of the article, we looked at the classification of digital signatures according to the degree of security. What are the mechanisms for the correct use of simple, strong and qualified electronic signatures?

If a company decides to use a simple digital signature when exchanging documents with another organization, then it needs to enter into additional agreements establishing such a mechanism. The relevant agreements must reflect the rules for determining who exactly sent the document via e-mail and thereby provided a simple digital signature.

If we are talking about electronic trading, then the signature must be strengthened (at a minimum) and meet the criteria adopted at the level of a particular online platform where such communications are carried out.

Reporting to government agencies should only be carried out using a qualified electronic signature. If we are talking about establishing labor relations at a distance (more recently, the Labor Code of the Russian Federation allows this type of communication), then a qualified signature must be used in this process.

Electronic digital signature (ED)

Electronic digital signature in EDMS: what do you need to know?

Sergey Silin
January 31, 2007 1:13 pm

Sergey Silin

Recently, electronic digital signature (EDS) has become increasingly widespread in domestic corporate information systems. However, one-sided, as a rule, technical coverage of the issues of using digital signatures does not allow us to see the whole picture, which is why it became necessary to consider this area “from a bird’s eye view.” Without going into details that are interesting only to specialists, we will try to talk about what an electronic digital signature allows and does not allow to implement, as well as give practical recommendations for the use of digital signatures in electronic document management systems, the need for which is increasingly felt today.

According to general opinion, a handwritten signature on a paper document solves the following problems:

  • convince the reader that the person who signed the document did so consciously ( the signature is authentic);
  • prove that it was this person, and no one else, who consciously signed the document ( the signature is genuine);
  • being part of the document, protect it from fraudulent transfer to another document ( signature cannot be reused);
  • protect the document itself ( a signed document cannot be changed);
  • ensure the materiality of the signature and the document, guaranteeing that the person who signed the document will not be able to subsequently claim that the document was not signed by him ( signature cannot be refused).

However, as practice shows, a handwritten signature on a paper document, by its very nature, leaves loopholes for fraudsters. It is not without reason that to make their actions difficult, special security marks are applied to document forms, sheets are numbered and stapled, and in addition, along with the signature itself, they use handwritten writing of the surname, first name, patronymic on the document, etc. In a word, with all its advantages, handwritten the signature also has a number of disadvantages.

As a result of the penetration of computer technology into all spheres of human activity, the need arose to implement an analogue of a person’s handwritten signature in electronic form. This task was successfully solved. The solutions are based on those developed in the mid-1970s. public key cryptographic algorithms, which are based on complex mathematical apparatus.

At the same time, the digital signature eliminated most of the problems inherent in a signature on a paper document and provided the electronic document with the following important characteristics:

  • authenticity- confirmation of the authorship of the document;
  • integrity- the document cannot be changed after signing;
  • non-denial of authorship (non-repudiation)- the author will subsequently not be able to refuse his signature. ·

EDS is most widely used today in documentation support for management (DOU), in payment systems, e-commerce and accounting. Of the listed areas, the most popular and complex is the task of automating preschool educational institutions of organizations - the main goal of creating electronic document management systems (EDMS). This is what we will focus on in this article. However, first it is necessary to clarify what is meant by the use of digital signature, bearing in mind its two main schemes:

  • signing an electronic message upon transmission and verifying the sender's signature upon receipt, i.e. secure document transmission. Often such a scheme is perceived as a legally significant document flow, which is a deep misconception. Protecting an electronic message via digital signature is certainly a useful and necessary thing, but it is completely insufficient to ensure full-fledged document flow;
  • use of digital signature throughout the life cycle electronic document - during its creation, approval, approval, familiarization with it, etc. Only in the case when the full life cycle of a document is automated and the digital signature is an integral part of it, can we talk about using a full-fledged, i.e. legally significant electronic document management systems.

Next we will consider legally significant EDMS. Such systems are most in demand in large holdings, government agencies, credit institutions, stock exchanges, insurance companies - where it is necessary to document electronically decisions made and bear financial responsibility in connection with them.

EDMS with digital signature support: what are the benefits?

Main distinguishing feature EDMS with EDS support from EDMS without such support is that electronic documents equipped with EDS are evidence: they document a decision or some fact. If, when a conflict situation arises, there is an electronic document signed with an electronic signature, then on its basis it is possible to conduct an investigation within the organization, and, if necessary, with the involvement of a third party (for example, in an arbitration court). EDMS that do not provide digital signatures do not provide this opportunity.

Today, many internal documents of an organization can be translated into electronic view(for example, memos, applications for allocation cash, various internal reports, instructions, etc.). It is necessary to develop a regulatory framework for the organization regulating the use of digital signatures. Such regulations will provide electronic documents with legal force - the ability to present them in court as evidence. Of course, little law enforcement practice introduces some restrictions on the use of digital signatures, but is not a fundamental barrier to building an internal legally significant electronic document flow in an individual company.

Characters and performers

As follows from the above, an electronic signature is an analogue of a person’s handwritten signature, used in electronic documents. An electronic digital signature is created using a private key - a unique sequence of characters that is known to its owner and is intended for creating a digital signature in electronic documents using appropriate means.

Recipients of an electronic document signed with an electronic signature have the opportunity to verify the validity of the signature using a public key and make sure that the document is genuine and the digital signature belongs to the person indicated in it. A public key is a unique sequence of characters that is mathematically related to the private key of an electronic digital signature. The public and private keys form what is called a key pair.

The public key is available to any user of the information system as part of the key certificate. A key certificate is analogous to an identification document (for example, a passport). This is a document on paper or an electronic document with the digital signature of an authorized person (employee) of the certification center. In addition to the public digital signature key, the key certificate contains identification data of the owner. The certificate is transferred to the EDMS user and performs two tasks: it confirms the authenticity of the digital signature and identifies the owner of the signature key certificate.

In both cases, electronic digital signature tools are used - a hardware and software complex that ensures the implementation of at least one of the following functions: creation of an electronic signature in an electronic document using a private digital signature key; confirmation using the EDS public key of the authenticity of the EDS in an electronic document; creation of private and public digital signature keys.

An analogue of an arbitrator, trusted by all participants in the document flow, is a certification center - an organizational structure that manages key certificates and supports their use in various subsystems of the corporate information system. The certification authority can be external organization or a division of a particular company.

Another participant in the process is a crypto provider. This is a software or hardware-software module that implements one or more cryptographic algorithms and provides its functions to external systems.

An analogue of the date on a paper document, which is personally affixed by the person signing the document, is a time stamp. We are talking about the evidence of a third trusted party - an organizational unit called the time stamp service. The EDMS sends there a so-called hash message, which is obtained as a result of cryptographic transformation of the document. The service puts a stamp on this message (using its software and hardware), certifying that the electronic document existed at that point in time. This adds a value to the hash message indicating when the time stamp request was received by the timestamp service. The time stamp service signs the entered value with its own digital signature and returns the document back to the EDMS.

The set of hardware and software, as well as personnel, policies and procedures necessary to create, store, distribute, manage life cycle and the use of public key certificates and associated private keys is called a public key infrastructure (PKI).

As always, it's all in the implementation details!

When choosing an EDMS with digital signature support, you should pay attention to the implementation features of the selected system. Let's look at the key aspects to consider.

Not only content, but also form

In many EDMS, an electronic document is considered to be some type of file (for example, Microsoft Word or Adobe Acrobat) attached to the registration card. I would like to draw attention to one circumstance: signing just files (the content of documents) is not of great interest to the organization. Strictly speaking, not all information in a document is “unstructured”; in addition to the content, the document contains details that can and should be separated into a separate structure in order to subsequently search and classify documents using them. In many situations, it is useful to sign not only the content, but also the form. In this case, you can display and print the electronic document on the computer screen in the form in which it was signed, which will avoid any conflict situations.

All the nuances of paperwork

The digital signature must be equivalent to a handwritten signature and take into account all the nuances of paperwork. Namely, it is necessary that the EDMS allows signing part of a document, putting a signature on an electronic document sequentially (the document and all available digital signatures are signed), in parallel (the document and all digital signatures of lower levels are signed).

Figure 3 shows examples of using digital signatures in documents. The “I certify” signature is a sequential first-level signature that covers only the content of the document (this is the signature of the author of the document). The signatures “agreed 1” and “agreed 2” (approving visas) are parallel second-level signatures. They cover the content of the document and the first-level signature and are independent of each other. The signature “I approve” (manager visa) is a sequential third-level signature that covers the content of the document and all previous signatures.

Electronic document format

For the full implementation of digital signature, the electronic document management system must support the document format, which is the canonical form to which any “electronic document” in the EDMS will be converted. From the point of view of ease of use and prospects for development and integration, EDMS that use XML to describe the document format is preferable. At present international organizations Work is underway to create a standard for the electronic document format.

Time stamp

It is important to note that when working with digital signatures, a problem inevitably arises due to the fact that the validity period of any certificate is limited to a certain period of time. Upon expiration of the certificate, all digital signatures created with its help lose their meaning, since it is impossible to determine whether the digital signature was created when the certificate was still valid or when its validity period had already expired. And this, in accordance with the federal law “On Electronic Digital Signatures,” automatically means the invalidity of the digital signature.

Therefore, only EDMS integrated with the time stamp service deserve attention, which allows you to place a stamp in one of the system attributes that records the moment of creation of the digital signature. With this solution, it is possible to check the digital signature taking into account whether the certificate was valid at the time of creation of this digital signature, and not at the time of verification.

However, this stamp is also certified by the digital signature of the time stamp service, the certificate of which also has a limited validity period. To mitigate this problem, there is a standardized methodology that must be implemented in the EDMS. Its essence lies in the fact that when the validity period of the time stamp service certificate is coming to an end, the EDMS requests for the old certificate and a set of service information a time stamp with an electronic digital signature on the new certificate, the validity period of which is just beginning. Thus, thanks to the validity of the new certificate, it can be proven that the old certificate was also valid before the certification.

Archival copy of the electronic document

The EDMS should allow a system participant to receive an archived copy of a signed electronic document, which can be presented as evidence in the event of a conflict situation. Of course, security policy restrictions regarding confidential documents must be taken into account.

Creating a digital signature under a document

This action must be performed by the user consciously. It is not allowed to sign a document automatically. The system must ask whether the user will sign the document. In many existing EDMS this is not given due attention. Moreover, some developers, being carried away by automation, specifically implement the automatic affixing of an electronic signature under a document, which is an absolutely wrong approach.

Delegation of authority

A separate issue is the delegation of official powers from one user of the system to another. Very often, managers transfer their right to sign an electronic document to a trusted person, while simultaneously signing a paper copy of the document, which in this case is the original. The question is not simple. You should obtain qualified advice from a lawyer in which cases delegation is permissible and does not contradict current legislation and how this fact should be documented. Simply transferring your private key to another employee to create an electronic signature is unacceptable, since such a situation is interpreted as a compromise of the key, and therefore the digital signature received under the document is not legitimate.

If we talk about the implementation of EDMS, then technically delegation is implemented as the issuance by a certification center of special certificates that have limited application (indicated in information about the relationship) and validity period; at the same time, the digital signature details indicate from whom these powers are delegated. For many readers, the term “relationship information” will almost certainly seem strange. This term refers to a property of a certificate that allows you to limit the scope of its application. For example, an employee has the right to sign memo, but does not have the right to sign a financial document.

The ERMS business logic must distinguish between certificates issued for delegation of authority. Check that these capabilities are supported by the EDMS and its supporting infrastructure.

Implementation of electronic digital signature in an organization: success factors

Regulations

To ensure the legal significance of electronic documents, the organization must develop and approve regulations for the use of digital signatures. The development of regulations should be entrusted to qualified specialists and lawyers should be involved (as consultants). At the same time, it is necessary to finalize the company’s internal regulatory framework so that the regulations do not contradict other regulations. For public authorities, in addition to the above, it is required that digital signature tools and a certification center be certified in the manner prescribed by law.

Awareness

Participants in the electronic document management system must have a good understanding of what digital signature is, how to use it and what it gives them. This can be ensured by holding seminars on the use of digital signatures for department heads. And only then managers must inform their subordinates what benefits the company and each employee receive from the implementation of digital signatures.

“Ours” or “strangers”?

When deploying an EDMS with digital signature in an organization, it is necessary to decide which public key infrastructure to use: whether to deploy your own (internal) or resort to the services of a third-party company (external).

As a rule, large companies and holdings implement IOC on their own, i.e. the services are internal. This solution has a number of advantages, since it allows you to fully control the process of functioning of the PKI. For medium-sized organizations, it may be economically feasible to use the services of other companies. In this case, an agreement is concluded between the organization and the supplier company for the provision of certification center and time stamp services.

For geographically distributed organizations, it may be advisable to use their own hierarchical structure of certification authorities. In this case, the certification authority will have a root and subordinate registration authorities. Technically, registration centers are equipped with hardware and software systems that implement the functions of working with key certificates. In a hierarchical CA structure, each registration authority (the node to which end users connect) has its own key certificate, issued and signed by a higher-level registration authority. In this case, the root registration authority uses a key certificate signed with its own private key (the so-called self-signed certificate), since it does not have a higher registration authority. The installation of a self-signed root registration authority certificate must be carried out according to a procedure that prevents the substitution of this certificate.

Factors influencing the success of implementing EDMS with digital signature

Organizational

· Understanding why digital signature is needed and what benefits can be obtained from its use.

· Information security policy.

· Paperwork regulations.

· Regulatory and legal framework for the use of digital signatures in EDMS.

· Qualified information security specialists.

Technical

· The organization has deployed a public key infrastructure or has an agreement to provide certification center services to a third party.

· Time stamp service deployed.

· A trusted execution environment for EDMS software is provided on user workstations and servers.

· Necessary cryptographic protection means have been deployed at workplaces.

In addition, it is necessary to take into account the number of requests received by the certification center per unit of time, and calculate the performance of network equipment in order to ensure acceptable request processing time.

Selection of PKI components

An important step is to determine the criteria by which PKI components should be selected. It is necessary to study the proposed public key infrastructures: software certification authority, hardware and software or software implementations of systems for time stamp services, hardware and software or software crypto providers. The choice of components is not too wide, and it is quite possible to get professional advice. It is necessary to keep in mind that the existing hardware and software systems imported production do not provide work with Russian cryptographic algorithms. Support for these algorithms will be needed if there is a need for EDMS certification.

From the practice of implementing EDMS, it should be noted that the most pressing issue is organizing the deployment of a time stamp service, consisting of two parts: a time stamp server and a trusted time source. The specific implementation of the service depends on the organization’s need for long-term storage of electronic documents signed with digital signature. Typically, the timestamp server with which periodic synchronization is required is external to the organization and thus becomes a “point of failure.” It is necessary to work out the issue of providing access to a backup trusted time server. At the moment, the issue of a trusted time source at the state level has not been resolved in any way.

Selecting an EDMS

Having decided on the infrastructure, you need to spend considerable effort on choosing an EDMS, since there are a lot of offers. The fundamental requirements for EDMS have already been discussed above. Here we note the following.

The developers of the vast majority of EDMS on the market claim that they support legally significant electronic document management, but everyone interprets this term in their own way. For example, an electronic signature is affixed without the use of time stamps, but the document is declared legally significant. As a rule, a statement about support for legally significant document flow is an exaggeration, since many important issues regarding the use of digital signatures remain unresolved. In this regard, one should be critical of such statements and clarify what a specific EDMS manufacturer understands by legally significant document flow.

It is advisable to choose an EDMS supplier who has experience in developing regulations for the use of digital signatures.

In many cases, the EDMS does not have the means to resolve conflict situations related to the validity of digital signatures or denial of authorship, which technically does not allow presenting evidence in court. The EDMS must have a clear procedure for dealing with conflict situations and presenting evidence to a third party.

It is possible that a decision will be made to order the development of a system or to significantly modify the existing EDMS in the organization. The latter approach is not much different in terms of labor intensity from custom development, but is significantly inferior in the effectiveness of the solution.

Implementation management

Implementation should be preceded by the development of an organizational strategy. This document should clearly formulate the goals of implementing an EDMS, define the principles of construction and stages of implementing an EDMS in an organization. Deployment of digital signature is integral part process of implementing EDMS, and it is not recommended to consider this process as independent. The implementation of an EDMS is a responsible matter, and should be approached with special care.

When implementing an EDMS, the development of a regulatory framework is very important. This process is carried out in stages (in parallel with the implementation of the system itself), taking into account the peculiarities of office work in the organization and the selected EDMS.

As practice shows, an electronic digital signature can be implemented painlessly if the digital signature is an integral part of the system architecture. The company will receive an unconditional benefit if the electronic digital signature is partially implemented in the electronic digital signature, for example, in such subsystems as “contract management”, “cash applications”, etc., but the maximum benefit from the use of the electronic digital signature can only be obtained with the full-scale deployment of the electronic digital signature.

Trust in infrastructure

Ensuring trust in the external environment of the EDMS is a key point in the deployment of digital signatures in the organization. Particular attention should be paid to the trusted (i.e., non-substitution-proof) installation of a self-signed root registration authority certificate at the user's workplace.

It is also advisable to provide a trusted environment in which the EDMS will operate. To obtain a fully trusted environment, it is necessary to use a number of hardware and software components that provide (their gradual connection is possible):

  • trusted loading of the operating system, for example, using an “electronic lock”;
  • regular updating of anti-virus software (both on the organization’s servers and on workstations);
  • centralized installation of software at user workstations.

It is also necessary to obtain guarantees from EDMS developers that there are no undocumented functions in the system.

If all these issues are carefully worked out, then the organizational and technical difficulties of the process of introducing digital signatures will be minimal.

Conclusion

Initially, EDMS were designed without taking into account the use of digital signatures; they modeled work with paper documents, which organizations did not intend to abandon. As they realized that digital signatures needed to be used, developers began to integrate digital signature functions into existing EDMS, considering them as additional. However, the result was solutions with limited capabilities, since the full integration of digital signatures required too many modifications in existing systems.

Today, at the next stage of information technology development, developers of newly created EDMS no longer consider digital signatures as some kind of addition and take into account the need for its use already at the stage of developing the system architecture.

World experience in the development of electronic digital signatures shows that the prospects for the use of digital signatures in electronic document management and related areas are very impressive. There is a rapid development of technologies for stream scanning and graphic image recognition, which makes it possible to convert almost any paper documents into electronic form and provide effective full-text search for them. IOC is developing. Combined with the general trend towards accelerating decision-making on documents and the need for legally significant electronic documents, this leads to the fact that electronic digital signatures are becoming more in demand than ever before.

Electronic document management

Electronic document management-- a documentation management system in which the entire array of created, transmitted and stored documents is supported using information and communication technologies on computers integrated into a network structure that provides the ability to create and maintain a distributed database. This does not deny the use of paper documents, but priority is given to an electronic document created, corrected and stored on a computer.

In addition, electronic document management is a high-tech solution to the problem of increasing the efficiency of any organization, primarily design, engineering, construction, scientific, repair and maintenance. Automatic tracking of the movement of information flows within the enterprise, as well as the procedure for transferring confidential information, can significantly reduce the labor costs of office workers . End-to-end control of execution at all stages of work contributes to the timely preparation of documentation and a significant increase in the quality of work of performers.

Information computer technologies form the basis of solutions that provide centralized automated knowledge exchange and allow you to extract only the necessary information from all available sources.

Document automation system, electronic document management system (EDMS) is an automated multi-user system that accompanies the process of managing the work of a hierarchical organization in order to ensure that this organization fulfills its functions. It is assumed that the management process is based on human readable documents containing instructions for employees of the organization that are necessary for execution.

Basic principles of electronic document management:

Single registration of a document, allowing you to uniquely identify the document;

Possibility of parallel execution of operations, allowing to reduce the time of movement of documents and increase the efficiency of their execution;

Continuity of document movement, allowing to identify the person responsible for the execution of the document (task) at each moment in the life of the document (process);

A unified (or coordinated distributed) database of document information, which eliminates the possibility of duplicating documents;

An effectively organized document search system that allows you to find a document with minimal information about it.

Electronic digital signature, electronic signature and digital signature (concepts, differences). Electronic digital signature (concept, types, features and limits of use)

Electronic digital signature (EDS)- a sequence of characters obtained as a result of cryptographic transformation of electronic data. The digital signature is added to the data block and allows the recipient of the block to verify the source and integrity of the data and protect against forgery. EDS is used as an analogue of a handwritten signature.

A document certified with an electronic digital signature (EDS) is considered to belong to the relevant Party if it is signed with an EDS.

EDS is intended to authenticate the person who signed the electronic document. In addition, the use of a digital signature allows you to:

Control of the integrity of the transmitted document: in case of any accidental or intentional change to the document, the signature will become invalid, because it is calculated based on the original state of the document and corresponds only to it;

Protection against changes (forgery) of the document: the guarantee of detection of forgery during integrity control makes forgery impractical in most cases;

Evidence of the authorship of the document. Since you can create a correct signature only by knowing the private key, and it should only be known to the owner, the owner of the key pair can prove his authorship of the signature under the document. Depending on the details of the document definition, fields such as “author”, “changes made”, “time stamp”, etc. may be signed;

All these properties of the digital signature allow it to be used to participate in electronic auctions, as well as signing documents for participation in public procurement tenders.

The CA generates a private key and its own certificate, generates end-user certificates and certifies their authenticity with its digital signature. The center also revokes expired and compromised certificates and maintains databases of issued and revoked certificates.

Electronic signature (ES)-- details of an electronic document that allows you to establish that there is no distortion of information in the electronic document from the moment the electronic document is generated and to verify that the signature belongs to the owner of the electronic key certificate. The value of the attribute is obtained as a result of cryptographic transformation of information using the private key of the electronic signature. In Russia, Federal Law No. 63-FZ of April 6, 2011 replaced the name “electronic digital signature” with the words “electronic signature” (abbreviation “ED”).

Types of electronic signatures:

In Art. 5 of the Law on Electronic Signatures establishes the following types of electronic signatures, which are regulated by the Law: simple electronic signature and enhanced electronic signature. At the same time, an enhanced electronic signature can be qualified or unqualified. These types of identification of participants in legal relations in the field of electronic document management differ in reliability and complexity of obtaining.

The new Law establishes that a simple electronic signature is a signature that, through the use of codes, passwords or other means, confirms the fact of its formation by a certain person (Clause 2 of Article 5).

For enhanced electronic signatures, the Act provides more stringent requirements. Thus, an unqualified electronic signature must meet the following criteria:

1) obtained as a result of cryptographic transformation of information using an electronic signature key;

2) allows you to identify the person who signed the electronic document;

3) allows you to detect the fact of making changes to an electronic document after it has been signed;

4) created using electronic signature tools.

The developers of the Electronic Signature Law took these features from EU Directive No. 1999/93/EC (clause 2 of Article 5).

1) a qualified certificate has been received, which indicates the verification key for such an electronic signature;

2) to create and verify an electronic signature, electronic signature tools are used that have received confirmation of compliance with the requirements established in the Law on Electronic Signatures.

Digital signature-- is a block of data generated using some secret key. In this case, using the public key, you can verify that the data was actually generated using this private key. The digital signature generation algorithm must ensure that it is impossible without a secret key to create a signature that, when verified, turns out to be correct.

Digital signatures are used to confirm that a message actually came from a given sender (assuming that only the sender has the private key corresponding to his/her public key). They can also be used to certify (to certify) that a document belongs to a certain person.

A digital signature also includes a timestamp in the document; this essentially means that the time the document was signed is part of that signature. Therefore, if someone tries to change the document, it will be detected when checking the signature. Some email programs, such as Exmh or KMail included with KDE, provide the ability to sign documents using GnuPG directly from the program interface. Two types are used digital signatures: clearsigned (explicitly signed) documents and detached signatures (separately signed). Both types of signatures include the same degree of authenticity protection, and do not require the recipient to decrypt the entire message. A digital signature is placed in digital documents in the same cases as in paper ones.

Digital signatures help verify the following:

Authenticity - A digital signature helps ensure that the person signing is who they really are.

Integrity - A digital signature helps ensure that the contents of a document have not been altered or tampered with since the digital signature was entered.

Non-repudiation - a digital signature helps prove to either party the authorship of the signed content. "Denial" means that the owner of the signature denies any connection with the signed content.

To fulfill these guarantees, the creator of the document must verify its contents with a digital signature that meets the following requirements:

A digital signature is valid. This means that the certificate for that digital signature is valid (not expired). The person or organization that provided the digital signature, called the issuer, is the legal owner of the digital signature;

The digital signature certificate was issued to the publisher by a competent Certification Authority.

Legal status of documents with digital signature under Russian legislation

Adopted Federal Law No. 63-FZ of April 6, 2011 “On Electronic Signatures” (hereinafter referred to as the Law on Electronic Signatures, new Law) significantly changes the legal regulation of relations related to the signing of electronic documents. Previously, these relations were regulated exclusively Federal law dated January 10, 2002 N 1-FZ “On Electronic Digital Signatures” (hereinafter referred to as the EDS Law), which will cease to be in force on July 1, 2012, but certificates of electronic digital signatures (hereinafter referred to as EDS) issued in accordance with this normative act, can be used further.

The EDS Law, in principle, does not allow the issuance of EDS certificates to legal entities - despite the fact that it is these participants in circulation who most often use electronic documents. The Electronic Signature Law eliminates this limitation, which should contribute to the wider adoption of electronic signatures in Russia.

The scope of validity of electronic signatures is also expanding, which can now be used not only when making civil transactions (Clause 2 of Article 1 of the Law on Digital Signatures), but also when providing state and municipal services, as well as “when performing other legally significant actions” (Article 1 of the Law on Electronic Signatures).

The Law on Electronic Signature came into force on April 8, 2011, allowing the use of any information technology encryption means and any cryptographic technical devices, if they meet certain reliability requirements (clause 2 of article 4 of the Law).


We also recommend