However, the principle of electronic signature can not be explained intuitively and simply by the above technical terms. The following briefly introduces how to ensure the security and confidentiality of electronic signatures through the process of recovering electronic signatures:
Situation: due to business needs, you and I need to sign a cooperation agreement. For your convenience, you will send the prepared electronic contract online to me for signature.
How to ensure that the contract can only be viewed by myself and not be maliciously stolen by others? How can I be sure that the sender of the document is you?
Key point 1: Public key and private key appear. In order to meet the confidentiality of electronic contract content and the requirements of sender authentication, we know the encryption method of asymmetric encryption.
Asymmetric encryption: it has a pair of unique keys, a public key and a private key. The public key is visible to everyone, while the private key is only visible to itself.
The characteristic of asymmetric encryption is that files encrypted with public key can only be decrypted with private key, and files encrypted with private key can only be decrypted with public key.
When sending the contract, you will encrypt the proposed electronic contract with your private key; When you receive the contract, if you can decrypt it with your public key, it means that you sent this file.
But how do I know your public key?
Point 2: The government provided a CA to help me. I understand that the government has authorized an authoritative organization called CA to provide network identity authentication services.
CA (Certificate Authority): the full name of the certificate issuing authority, that is, the application, issuance and management institution of digital certificates. Its main functions are: generating key pairs, generating digital certificates, distributing keys, managing keys, etc.
Digital certificate: It is a certificate issued by CA organization, which contains information such as public key, owner name of public key, digital signature of CA, validity period, name of authorization center, serial number of certificate, etc. It can be popularly understood as the "network identity card" of an individual or enterprise.
I apply to CA for your public key, and use it to decrypt the electronic contract. If the decryption is successful, it means the sender is you. The identity of the sender of the document has been confirmed, so how to ensure that the electronic contract has not been tampered with during transmission?
Key point 3: Hash brothers appear, and a technician recommends the Digest Algorithm, which can prove whether the electronic contract has been tampered with during transmission.
Hash algorithm: the text content generates code through encryption algorithm, that is, information summary. Its main feature is that the encryption process does not need a key, and the encrypted data is irreversible. In other words, only two identical contracts can get the same digest through the same hash algorithm.
When you send the contract, you send me the original electronic contract and the hashed summary. When you receive the contract, you can get a new summary by hashing the original contract. Comparing the consistency of the two abstracts can prove whether the documents I received have been tampered with.
However, what if the original and abstract of the file are replaced at the same time during transmission?
Point 4: Symmetric encryption helps. In addition to the above hash algorithm, asymmetric encryption and CA, in order to ensure that the contract meets three requirements from sending to receiving, that is, it can only be sent to me and cannot be tampered with, we also need to apply a new encryption method: symmetric encryption.
Symmetric encryption: The encryption method of single-key cryptosystem is adopted, and only one password can be used for information encryption and decryption.
When sending files:
1, you get the original abstract through hash operation and encrypt it with the private key to get your digital signature, and then encrypt the digital signature and the original contract symmetrically to get the ciphertext A- encrypted original.
2. Then get my public key through CA, and asymmetrically encrypt the key encrypted symmetrically in the above step, which is my "digital envelope"-encryption key.
3. Send me the ciphertext A together with my digital envelope.
Digital signature: extract the abstract of the source file by hash algorithm and encrypt it with the sender's private key.
Digital envelope: encrypt the symmetric key with the public key of the receiver ",which is called" digital envelope for B ".
When receiving a file:
1. I use my private key to decrypt the digital envelope and get the symmetric key-it can be unlocked, which means it is sent to me.
2. Then decrypt the ciphertext A with the symmetric key to obtain the original text with your digital signature.
3. Decrypt your digital signature with your public key to get the original abstract of the signature-it can be decrypted, indicating that the sender is you.
4. Use the same digest algorithm to get the original digest, and compare it with the digest in the decrypted signature-the digest is consistent, which shows that the original digest has not been tampered with.
In addition to the document content can not be tampered with, it is also important to accurately record the signing time and fix the validity period of the contract. How to ensure that the signing time of the contract cannot be tampered with under the network environment?
Key point 5: Time stamp proves that I consulted experts again. It turns out that our country also has a legal time service center to determine the time, which can affix a "time stamp" on the documents we signed, that is, a time stamp.
Time stamp: The time of signing the document in written form is written by the signer himself, and the digital time stamp is added by the third-party certification unit (DTS), which is more accurate and reliable based on the time when DTS receives the document.
At this point, the time record of signing the contract is accurate, the contents of the contract cannot be tampered with, and the identities of both parties are true and valid. This is no problem! However, how to store the signed electronic contract? No matter which party signs it, disputes will inevitably question the safety of the contract during storage.
Point 6: find an authoritative third party to deposit the certificate. It is said that there is a special third-party electronic data depository, which can store the signed electronic contract data. When both users dispute the contract content, they can apply for a credible certificate.
The last problem of signing a contract: the storage problem has also been solved! But the only drawback is that the signing process is too troublesome! In order to ensure the validity of electronic contract, we use asymmetric encryption, hash operation, timestamp and other technologies, and also need the assistance of CA institutions, notary offices and other institutions;
How to sign an effective electronic contract more simply and quickly?
Point 7: Choose a reliable third-party electronic contract platform According to the provisions of the Electronic Signature Law, an electronic contract signed with a reliable electronic signature has the same legal effect as a paper contract signed or sealed by hand.
According to the provisions of the Electronic Signature Law, an electronic signature is considered to be reliable if the following conditions are met:
1) When electronic signature production data is used for electronic signature, it belongs to the electronic signer.
2) When signing, the electronic signature production data is only controlled by the electronic signer.
3) Any changes to the electronic signature after signing can be found.
4) Any changes to the content and form of the data message after signature can be found.
Combined with the above-mentioned electronic contract signing process, we can draw a conclusion that an effective electronic contract should pay attention to the following core points: content confidentiality, content tamper prevention, clear signing identity and clear signing time.
At the same time, in order to ensure the evidential ability of electronic contracts as written forms, the whole process of contract signing should also be stored and notarized by authoritative third-party institutions.
The Ministry of Commerce pointed out in the "Process Specification for Concluding Electronic Contracts on the Internet": "Only through the electronic contract conclusion system of the third party (electronic contract service provider) can the fairness of the process and the effectiveness of the results be guaranteed".