Hello, dear readers of the Bablolab business magazine. When working with letters and contracts, you must always be sure that the information is reliable and obtained from a trusted source. Let's look at how to get an electronic signature, what it is and where to use it. In the past, stamps and manual receipts were used for this, but now modern cryptographic algorithms are used. From the article you will learn the following:
- What is an electronic digital signature (EDS) and what does it look like?
- Where and how to obtain a signature for an individual?
- How to install a digital signature certificate on your computer for beginners?
Let's start learning and go through each issue in as much detail as possible.
What does the digital signature look like on a document?
An electronic signature is a unique sequence of characters. It acts as a mandatory requisite placed on official electronic documents. Reliable cryptographic methods and mathematical calculations are used to generate the signature, and the software is FSB certified.
There are 3 types of digital signature:
- simple;
- unskilled;
- qualified.
A simple electronic signature (SES) is a code or password created by the system and sent to the user’s phone or email address. Typically used on websites to confirm an action. An unqualified signature (NES) differs in that it requires confirmation of the client's identity and is formed using a cryptographic transformation.
The most reliable is a qualified digital signature (QDS). It is confirmed by a verification certificate, has a private and public key, and gives the document full legal force.
A key certificate is a file with a .crt extension that contains information about the owner, the certificate's thumbprint, and the validity period of the signature.
An electronic signature on a document looks like:
- a sequence of letters or numbers that corresponds to the key specified in the certificate;
- a graphic picture or stamp indicating the signature of the certificate owner.
The most reliable is the invisible ES, which is not visually detected. It is used when creating MS Word, Excel documents, and is generated automatically. You can determine its presence by the mark that appears in the “status” column.
An example of what an enhanced qualified electronic digital signature looks like is an extract from the Unified State Register of Legal Entities certified by the Federal Tax Service. The signature here is a stamp indicating the certificate number, owner, and validity period of the electronic signature.
Sample:
What does a document signed with digital signature look like:
List of documents for obtaining a digital signature
For individual entrepreneurs:
- Fill out an application;
- OGRNIP (main state registration number of individual entrepreneurs)
- TIN;
- Extract from the register of entrepreneurs (no more than 6 months);
- Receipt of payment (issued by the certification authority).
Legal entities need to put together a larger package:
- OGRN;
- TIN;
- Completed application;
- Unified State Register of Legal Entities (USRLE) – the statute of limitations is no more than 30 days;
- Passport;
- SNILS;
- Receipt of payment.
Individual, for a qualified signature:
- Original passport;
- Receipt of payment.
If the signature is in the name of an employee, then you need to obtain a power of attorney and an order of appointment to the position. The director must also provide an order of appointment.
Prices for services
Prices are on average approximately the same. For an individual, the cost is determined in the range from 500 to 2000 rubles. And for legal entities and individual entrepreneurs, the digital signature is selected according to the number of available privileges.
On average, one good certificate for specific tasks will cost 2000-3000 rubles. A complete set costs from 5,000 to 10,000 rubles. Often, in addition to this amount, you have to buy USB keys (ordinary flash drives) for a separate fee for 500-1000 rubles apiece.
What does the stamp on ED imaging include?
According to GOST R-7.0.97-2016 dated July 1, 2018, the electronic signature form must contain a new form with the “electronic signature mark” attribute. It is mandatory for any ED when it is visualized, scanned or printed in the place where a signature is usually affixed on paper by hand.
The mark is placed on a document signed with an electronic signature, which is:
- printout of the electronic contract;
- printout of the protocol of consideration of applications and their assessment for participation in bidding on the ETP;
- responses to requests from regulatory authorities.
The electronic signature stamp must include the following details:
- signature key certificate number;
- Full name of the owner of the digital signature;
- expiration date of the certificate;
- a phrase stating that the document is signed by an electronic signature.
Additionally, the stamp may contain the following emblem:
According to the requirements of the standard, the electronic signature mark must be readable, and its elements must not intersect or overlap each other.
How to mark
Typically, two options are used to mark an electronic signature:
- making a stamp and then inserting it into copies;
- setting up a signature in MS Office.
To set up a digital signature via MS Office, in an open document, go to the “Tab” submenu and select “Signature Line”:
Next, select “signing”:
If a stamp is made, then it is inserted into the copy in the usual way by inserting a picture or drawing and placed in the desired place.
Simple electronic signature
- This is a signature that, through the use of codes, passwords or other means, confirms the fact of the formation of an electronic signature by a certain person.
For example, a combination of login and password when sending an email is a simple electronic signature confirming that the email was sent by a specific person.
A simple electronic signature is contained in the electronic document itself . The simple electronic signature key is used in accordance with the rules established by the operator of the information system with the help of which the electronic document is generated, and the created document contains information indicating the person on whose behalf it was created.
Thus, for example, all users of Sberbank Online and Russian Post have a simple electronic signature, where identification requires entering a login and password.
A simple electronic signature cannot be used when signing electronic documents containing information constituting a state secret, or in an information system containing information constituting a state secret.
What is a time stamp
Clients of the CryptoPro TSP system can additionally receive time stamps. The signed data is the hash function value and the time the stamp was affixed. The requisite is associated with the ED for which it was issued and ensures its integrity.
To issue a stamp and implement a service based on CryptoPro, you need to create a separate TSP server and add CryptoPro TSP Client to the workstation software.
Advantage of time stamp:
- recording the time of ED creation;
- recording the time of digital signature formation;
- recording the time of the ED processing operation;
- long-term storage of digital signature (even after the expiration of the user’s digital signature certificate).
When opening a document and viewing information about the digital signature, the time stamp will look like this:
Working with the TSP protocol is simple, and is based on interaction with the server using the “request-response” type. The user creates a request, sending it to the server, and receives a response that contains the generated time stamp. If an error occurs, the response will contain an error code instead of a stamp.
Is compliance with GOST mandatory or not?
There is a GOST for electronic signature. In the unified register it is listed under number 7.0.97-2016. The standard contains rules for the generation of documents both in paper and electronic form, and addresses issues such as:
- location on the media of the necessary details;
- requirements for the creation and execution of electronic documentation, including the use of IT.
GOST rules are regulated by Article 26 of Federal Law 162 dated June 29, 2015. Article 6 of Federal Law 162 provides for the mandatory use of standardization documents for defense products, state. orders for goods and services used for data protection, as well as for providing information related to nuclear energy, etc.
Based on regulatory documents, GOST requirements on information standards are not mandatory and their non-compliance does not violate current legislation.
Special programs
CryptoARM and ViPNet CryptoFile software allows you to quickly sign and send pdf files. The services differ in functionality and installation, but are simple and straightforward to use.
CryptoARM
The universal program is designed to encrypt and decrypt information, verify electronic keys, and work with crypto providers using algorithms that meet FSB requirements. The starter version, where you can endorse pdf, Word and Excel documents, is provided free of charge.
The standard and basic variations provide for an additional fee:
- the ability to generate electronic signatures and check their correctness;
- encryption and decryption of files of arbitrary formats;
- support for advanced signature modules and other options.
CryptoARM is a program for electronic signature and encryption of files and documents.
Sighting using the program is carried out sequentially:
- Enter the program, select the “Sign” option in the menu.
- Read the instructions.
- Select the file you plan to work with (size – up to 100 MB).
- Leave the file encoding or change it according to your personal requirements.
- Select an electronic signature (detached or attached), add a property, comment, if necessary.
- Check the appropriate certificate.
- Save the profile if you need to create a template for signing several similar documents.
- Click “Done” and receive a notification about the completed operation.
ViPNet CryptoFile
The free software application allows you to sign archives, put digital signatures on images, tables, partnership agreements, text files. The disadvantage of ViPNet is the ability to add only one electronic impression.
Work with papers is carried out according to the following plan:
- find the required document in the main list;
- right-click to open the menu and select the “Sign” option;
- receive an output file with an automatically signed signature and a .sig extension.
ViPNet CryptoFile is a program for protecting files and transmitting them securely on the Internet.
Loss of legal significance of electronic signature
An official document has legal force and legal significance. The first term means that the document has legal consequences. Significance is a proof of business activity.
The Federal Law on Electronic Signatures specifies that in EDI a document is certified using special technologies and electronic signatures. To have legal force and serve as proof of action, the ED must have the following details:
- name;
- number;
- indicating the full name of the author of the signature, the name of the company and the person authorized to sign;
- date of compilation;
- signature.
The law also prescribes three types of electronic signature, the characteristics of each of them, legal force, method of receipt and validity period. According to the bill, only documents signed with a qualified electronic signature have legal force. The NEP gives legal force to e-documents if there is a separate agreement between the participants of the e-document flow.
The digital signature loses its legal force in the following cases:
- the signature was made by a person who does not have the right to act on his own behalf or on behalf of the organization;
- the ED does not contain all required details;
- the format and method of transmitting ED is not followed;
- the certificate will expire at the time of signing or verification of the ED;
- The electronic signature was used in violation of the information specified in the certificate.
The agreement between the EDF participants prescribes the requirements for recognizing the equivalence of documents with electronic signature and on paper, and their violation also leads to the loss of the legal significance of the document. Typically these include:
- mandatory sending of ED from a secure mailbox, access to which only the owner of the signature has;
- the public key must be enclosed in the letter;
- the mail service should have limited access.
The same conditions are used for corporate digital signature. Working with public postal services reduces the legal force of a simple signature and makes it impossible to use it to certify documentation.
Digital signature certificate - what is it in simple words
If a person decides to apply for a CEP, then he needs to contact a special center and leave an application. After collecting documents and generating a unique signature, a person also needs to receive his or her private and public key pair. Otherwise, this document is called a public key certificate.
digital signature certificate is an electronic document with information about the owner’s public key. Confirms that a given key pair belongs to a specific owner. Used as an additional guarantor of document authenticity.
It contains all the important information:
- Owner's full name;
- Organization;
- Validity;
- Regarding what CEP can be used;
- Public encryption key;
- Name of company;
- Unique key container and carrier;
- Signature of the recipient and authorized person.
The owner is given a special flash drive with an embedded electronic version of the certificate. It can be used to confirm your identity in various programs and services.
The certificate is valid for no more than 1 year. Therefore, after the expiration of the term, it is necessary to extend it or issue a new one. Otherwise, the signature loses its legal force.
How to install a digital signature certificate on a computer from a flash drive
Most large companies need to know for sure that the user is using proven equipment. To do this, the certificate is written to the device’s hard drive and linked to its technical characteristics. Similar methods are used in military and banking structures.
To install, we will need the CryptoPro CSP program. We launch it and go to the “service – view certificates in the container” section.
Click review and in the window that appears you need to select a root token (flash drive with an embedded certificate).
If all the data matches, the install button will appear, click on it and wait for the process to complete.
In some cases, the program cannot independently import a certificate from a flash drive. Then you need to do this manually, specifying the necessary folders for import.
If you have any problems with the installation, watch a short training video. It describes in detail how to use the program.
Copy the certificate to other devices
A USB Flash drive is, of course, convenient. however, it can get lost or fail at any time. Therefore, we recommend that you make a backup copy of your virtual identity in advance and place it in the computer registry. Plus, it’s extremely convenient when traveling; you don’t need to use storage devices every time. Turn on the computer and all documents are automatically signed on your behalf.
Open CryptoPro CSP and go to the “service” section. Click “copy”.
Next, you need to select the media and then get into copy mode. Here we select “Registry”, in this case all codes are written inside the operating system.
Now you need to install the identity on the system. This is done following the example from the previous section.
Except that at this stage we are taking in another drive. In the reader section there should be “registry”.
Now you don't have to use a flash drive every time. Each document will be automatically signed using the Windows registry.
Use of electronic signature in judicial practice
The use of an electronic signature sometimes complicates legal proceedings. The chief accountant can certify the statements instead of the manager, and the lawyer can certify the application for the court instead of the plaintiff. Similar violations occur when using client-bank software, when payment orders are not sent by the owner of the electronic signature.
When considering claims for unlawful debiting of funds from an organization’s current account, the court recognizes the correctness of the bank’s action, since the electronic signature is correct, and considers the transfer of signature rights to a third party as a violation of contractual relations and customer service rules.
A similar practice occurs when participating in electronic government auctions. If an organization does not sign a won contract in a timely manner, it is recognized as a party that has evaded concluding a contract and is entered into the register of unscrupulous suppliers. In judicial practice, there are also frequent cases when an organization is entered into the register because of a contract signed by a person who does not have the right to certify such documents.
In civil legal relations, disputes between counterparties arise about the legality of documents signed by electronic signatures of unauthorized persons. When making a decision, the court proceeds from checking the validity of the electronic signature certificate.
The legislation of the Russian Federation does not directly prohibit the transfer of electronic signatures to third parties with the consent of the owner, and in the event of controversial situations, the court recognizes the owner of the signature as the person who signed the document. All responsibility for the use of the digital signature lies with the owner of the certificate, and if the key is compromised, he is obliged to contact the CA with an application to suspend the signature. In controversial cases, such an appeal can serve as evidence of damage caused not by the owner of the signature, but by a third party.
The approach to CA accreditation is changing
The accreditation of certification centers will be tightened. They will need a license to conduct relevant activities, a larger authorized capital compared to current conditions, or a wide network of branches throughout the country.
Moreover, the attention of regulatory authorities will be drawn to the reputation of the management and owners of the CA. Therefore, ask in advance if there are any problems with the CA or its management with whom you are currently working.
Note! From 2022, the Federal Tax Service, the Central Bank and the Treasury will issue signatures to the heads of organizations.
You can check the center’s accreditation on the website of the Ministry of Digital Development. If the CA does not meet the new requirements, its accreditation will remain only until July 1, 2021.