OneSpan Trust Vault: Long-term integrity for electronic signatures

Guy Harrison,

Signed agreements are the lifeblood of many companies, and can be critical to a company’s financial operations. In many cases, signed agreements represent a significant portion of a company's assets and liabilities.

Electronic signature solutions provide a convenient, efficient, and safe way of executing contracts and other signed agreements digitally, and use the same reliable, certified, and tested encryption that underpins privacy and security across the web. Yet the special challenge for electronic signatures is that they must stand the test of time, especially as digital agreements will need to remain valid across extended timescales.

Some digital agreements, such as loan agreements, may be enforced over decades and have a monetary value in the thousands or millions of dollars. As time passes, the certificates used to sign the documents could expire, be hacked, or be invalidated by future technologies.

As we charge forward into this digital reality, we need an approach to effectively protect digital agreements for the long term without creating more work for every party involved. We need to ensure that the integrity of digital agreements can be established not just today, but decades into the future.

Embracing the evolution of electronic signatures

Electronic signature security starts with a digital agreement. This is typically a PDF document, into which an electronic signature vendor inserts cryptographic proofs that attest to the participant's signatures and signing dates. This means the e-signature vendor's signature confirms the validity of the identities, consent, and dates of the digital agreement.

This signed agreement contains details of the authentication mechanisms used and a signed cryptographic hash of the document. The “signed hash” is cryptographically signed using the e-signature platform's private key and can be validated by anyone utilizing the platform's public key.

So, how does someone looking at a digital agreement know that the signature from the signing platform is valid?

The answer lies in the chain of trust security model, which is embedded in our modern digital tools, including all web browsers and most PDF viewers.

The chain of trust allows verification of a digital signature by reference to a trusted Certificate Authority (CA) such as Verisign, DigiCert or EnTrust. The “root” certificates for these trusted entities are pre-installed in most operating systems and web browsers and are implicitly trusted by the software. The digital certificate of the eSignature vendor is signed by this root certificate or, more commonly, by an intermediate certificate signed by the root certificate. The “chain” of certificates allows you to trust the certificate of the eSignature vendor, providing you trust the root certificate of the Certificate Authority.

Threats to digital agreements and chain of trust security

For short-term traffic – HTTPS communications with a web server, for instance – the chain of trust alone will normally be sufficient security. However, for documents that must remain valid over extended time periods, the following challenges arise:

  1. Private keys. The private keys that secure the root and intermediate certificates are hot targets for hackers, and certificate authorities go to great lengths to keep these keys secret. However, no security system is immune from penetration, and there have been some notable cases in which private keys for root certificates have been exposed. Should a root certificate be compromised, thousands or millions of electronic signatures could be voided.
  2. Expiration dates. All digital certificates include an expiration date, after which they should not be used. Unless we know for certain that an eSignature was created before the certificate expired, we cannot trust that the signature is valid. Trusted (or qualified) timestamps offer a partial solution here; they embed signatures from a Trusted Timestamp Authority (TSA) attesting to the signature time. However, a TSA will identify itself using the same chain of trust mechanism as the eSignature vendor, so these trusted timestamps may also rely on expired certificates.
  3. Technology evolution. Future technologies may be able to break today’s cryptography. It is widely believed that a quantum computer will be able to “break” today’s RSA-based digital certificates within 5-10 years. When this happens, it will be impossible to validate agreements created with today’s RSA-based signatures. Although quantum-safe alternatives to RSA should be available well in advance of such a quantum computer, electronic signatures created today might be invalidated by a quantum computer before their intended expiration.

Creating durable digital agreements with blockchain

Standards bodies and electronic signature vendors have been aware of these challenges to long-term electronic signatures for some time, and some jurisdictions have created standards to enable trust for long-term digital agreements.

For instance, the EU PAdES-B-LTA standard requires that timestamps from a TSA be applied before the expiration of any digital certificate – including the digital certificates involved in the creation of these timestamps. PAdES-B-LTA "targets the long-term availability and integrity of validation material, and if appropriate measures are put in place (e.g., periodical timestamping), a signature at this level could still be validated long after the cryptographic algorithms used for its creation are no longer considered secure enough, or more simply after the expiration of the validation data."

PAdES-B-LTA is a well-thought-out and valuable standard. However, it doesn’t solve all our problems for two main reasons:

  • Because timestamps themselves are based on digital certificates with relatively short expiration dates (typically under two years), it would be necessary to apply new timestamps to agreements every year or two. This poses economic and practical obstacles that most signatories would rather not address.
  • Until quantum-safe algorithms are developed and adopted by timestamping authorities, the timestamps will most likely be rendered invalid by future quantum computing technology, hence compromising the digital agreements’ validity.

What we need is a way of applying a timestamp to the original electronic signature that is quantum-safe and will not expire. Such a signature could be used to prove that the electronic signature was created before the expiration of the digital certificates and before any quantum computing attack was possible.

Blockchains, referred to as Distributed Ledger Technology (DLT), provide an immutable record of transactions that cannot be altered by any known practical technology. Although almost all blockchains need to migrate their authentication systems before the emergence of a quantum computer, historical blockchain records are quantum-safe – a quantum computer will never be able to rewrite public blockchain historical records.

Consequently, a cryptographic hash of a signed digital agreement placed on a public blockchain can constitute absolute proof of the agreement's existence at that specific date and rule out any fabrication of the agreement using compromised digital certificates after that date.

How OneSpan Trust Vault strengthens the integrity of long-term digital agreements

The combination of OneSpan Sign with Trust Vault creates quantum-safe cryptographic hash signatures for all documents stored in the vault and posts a digest of these hashes to a publicly assessable blockchain. These blockchain digests can be used to definitively prove the contents and timestamp of the document, as well as the date of any digital signatures included within the document.

If a signing certificate has been compromised or expired after signing, these timestamps prove that the signature was created before that event, allowing us to trust these signatures in the future.

As a result, digital agreements created using OneSpan Sign with Trust Vault have the greatest possible long-term protection against any future threat to the digital signatures that underlie the agreements.

By enabling digital agreements, today’s eSignature technology has allowed us to execute business, public, and personal agreements with greater efficiency, convenience, and security.

When you have a digital agreement that needs to stand the test of time, a solution that combines traditional digital signature technology with quantum-safe, un-hackable timestamping – such as can be provided only by blockchains – is required. This is where OneSpan Sign’s Trust Vault comes into play.

Get in touch to discuss adding Trust Vault to your existing electronic signature workflow, or request a demo to get started today.

OneSpan Trust Vault provides secure, long-term storage for eSigned contracts and digital agreements.

Introducing OneSpan Trust Vault: Quantum-safe blockchain storage

Immutable digital storage solution helps guarantee the integrity and long-term viability of documents, now and in the future.

Learn more

Guy Harrison is Innovation Architect at OneSpan and was the CTO and founder of ProvenDB, which was acquired by OneSpan in 2023. Guy is the author of numerous books on database and application technologies and writes the Emerging Technologies column for Database Trends and Applications.