LEGAL VALIDITY OF DIGITAL SIGNATURES
Nguyen Huy Hoang, Partner, BROSS & Partners
Email: hoang@bross.vn
Doan Thanh Binh, Associate, BROSS & Partners
Email: binh.dt@bross.vn
Along with the trend of digital transformation in the operation of the government as well as businesses, digital signatures are increasingly being interested in and selected by Vietnamese businesses to save time and costs, as well as to implement their business goals more effectively.
Currently, Vietnam has a relatively adequate legal framework to facilitate the development of digital signature services and the use of digital signatures. This article will (i) introduce the basic characteristics of digital signatures and (ii) present some basic analysis of the legal validity of digital signatures under Vietnamese law.
1. What is a digital signature?
According to Decree No. 130/2018/ND-CP, digital signatures are defined as:
(1) a form of electronic signature[1];
(2) created by transforming a data message using asymmetric cryptographic systems;
(3) accordingly, a person who has the original data message and the signer’s public key can accurately determine:
(a) The above-mentioned transformation is created using the correct private key corresponding to the public key in the same key pair; and
(b) The integrity of the data message since the above-mentioned transformation has been kept.
It can be seen that digital signatures are the product of the application of the technology called asymmetric encryption or public key cryptography[2]. With this technology, a person using a digital signature (“Signer”) will create or be provided with a pair of codes (which are relatively long binary strings) used for the execution of transactions, including a private key and a public key. The private key will be used by the Signer to create a digital signature on an electronic document (or “digitally sign”), while the public key will be used by the relevant persons to check whether the digital signature on the document is truly of the Signer and, from the time of being digitally signed, the document’s integrity (the state of not being altered) is kept[3].
Basically, the private key and the public key will be created using a special mathematical “formula” or protocol, so that any person who has the public key will not be able to calculate the private key with the current level of computer technology[4]. Each private key, in principle, belongs to a single Signer, and only such Signer can and is obliged to store, secure, and keep the private key confidential. Meanwhile, the Signer’s public key can be made public to everyone or provided to anyone else, but the security of the private key is still ensured[5].
In practice, the use of digital signatures inevitably requires the facilitating role of a third party which are the organizations that provide digital signature certification services (“Certification Authorities” or “CA”). According to Article 4 of Decree No. 130/2018/ND-CP, digital signature certification services include the following work:
(1) Creating or assisting in creating the key pair consisting of a public key and a private key for subscribers;
(2) Issuing, extending, suspending, restoring, or revoking subscribers’ digital certificates;
(3) Maintaining an online database of digital certificates; and
(4) Providing necessary information to help certify subscribers’ digital signatures on data messages.
To be more specific, a digital certificate is a form of e-certificate issued by the Certification Authority to provide the identification information of the public key of an agency, organization, or individual, thereby confirming whether such person digitally sign a document using the corresponding private key. In other words, by granting us a digital certificate, the Certification Authority will confirm and ensure to whom a public key has been issued[6].
DIGITAL SIGNING PROCESS
After being granted a key pair by the Certification Authority, to digitally sign an electronic document, the Signer will use a computer software (officially known as a “digital signature application”[7]) to “run” a group of algorithms collectively called the signing algorithm. The input of the signing algorithm will include (i) the electronic document that need to be digitally signed and (ii) the Signer’s private key[8].
When the digital signing algorithm is run, the content of electronic documents (characters, images, etc.) will be encrypted by an algorithm called a hash function[9] that “hashes” or “chops up” such document into a piece of code – consisting of a certain number of characters, called a hash or a message digest. The special characteristic of the message digest and the hash function is that it is almost absolutely certain that the message digests generated with the hash function from any two different documents (however small the difference) will never be the same in the practice. As such, the message digest is also known as the digital fingerprint of a data message because of its unique nature[10].
Ala has a cat named Mruczek.
|
8fca969b64f34edc160a205cb3aa5c86
|
Ala has a cat named Mruczek..
|
fe634af96c21b486e189224b70018189
|
Ala has a cat named mruczek.
|
e478d8300e1e1cf6e1abde3d23948e43
|
For example, in the left column are the data messages and in the column to the right are the message digests generated from the corresponding data messages through the hash function. It is noteworthy that the data messages differ only in 01 character, but their message digests are vastly different. Source: Rafał Kuchta, The hash – a computer file’s digital fingerprint, https://newtech.law/en/the-hash-a-computer-files-digital-fingerprint/.
Next, the message digest of the document that needs to be digitally signed will again be encrypted by combining with the Signer’s private key in a certain way to create another piece of code, which is used to “insert” into the document – such code is the digital signature, the valid proof for the Signer’s execution of the document.
The Signer will then send a set of the electronic document that have been inserted the digital signature to the recipient. To check the authenticity of document and the digital signature thereon, the recipient will also use a computer software to “run” some algorithms collectively called the signature verifying algorithm with input including (i) the electronic document received from the Signer, on which the digital signature is inserted, and (ii) the Signer’s public key[11]. To ensure that the public key belongs to the Signer, the recipient will use the Certification Authority’s digital certificate services for verification.
Thanks to the special mathematical relationship between the private and public keys, with the input being the digital signature received from the Signer and the Signer’s public key, the signature verifying algorithm will tell if the digital signature was created using a private key belonging to the same pair as the Signer’s public key. The signature verifying algorithm will also help decrypt the digital signature to obtain the message digest/digital fingerprint of the document that the Signer used to create the digital signature, and also “run” the hash function on the document received by the recipient from the Signer to obtain the message digest of this document. If the two obtained message digests are the same, then the recipient can be sure that the document he or she received from the Signer is the same as the document that the Signer used to create the digital signature and has not been altered or tampered[12].
In summary, with the signed document and the Signer’s public key verified by the digital certificate, the signature verifying algorithm will help give us a “yes” or “no” answer with almost absolute certainty to the following 02 questions: (i) Was the digital signature inserted into the document actually created using the private key belonging to the same pair as the public key of the Signer; and (ii) Has the document’s integrity (the quality of being unchanged) been kept since it was digitally signed? On such basis and on the assumption/presumption that only the Signer can access and use the private key, we will have the legal basis for determining whether the Signer performed the digital signing on the document.
|
2. Legal validity of digital signatures
In general, Vietnamese law has relatively adequate regulations to ensure the validity of transactions concluded by digital signatures in certain activities.
The Civil Code 2015, the general statute governing civil transactions, regulates that civil transactions established through electronic means in the form of data messages in accordance with the law on electronic transactions are considered written transactions, and will take effect if they meet the validity conditions of civil transactions in general.
The Law on Electronic Transactions 2005, detailed by Decree No. 130/2018/ND-CP, already has provisions recognizing the validity of digitally signed transactions in the operation of state agencies; in civil, business, commercial activities and other fields prescribed by law; however, this Law does not apply to the issuance of certificates of land use rights, home ownership and other real estate, documents on inheritance, marriage certificates, divorce decisions, birth certificates, death certificates, bills and other valuable papers.
On the basis of the above documents, for a transaction to be digitally signed in civil, business, or commercial activities to take effect (except for the excluded transactions as stated), the following conditions must be met:
(1) The general validity conditions of civil transactions under the Civil Code 2015, including[13]:
(a) The subject/person participating in the transaction has full capacity and voluntarily participates in the transaction;
(b) The content and purpose of the transaction do not violate the prohibitions of the law and are not contrary to social ethics; and
(a) The transaction must be made in writing, notarized, or certified if required by law. In relation to this condition, Article 119.1 of the Civil Code 2015 also stipulates that electronic transactions (including digitally signed transactions) in accordance with the law on electronic transactions are considered written transactions.
and
(2) The special validity conditions of digitally signed transactions, including:
(a) The parties to the transaction have an agreement on the use of digital signatures to establish the transaction, including the agreement on the use of certified or non-certified digital signatures and agreement on the selection of the Certification Authority[14]. In our opinion, such agreements need not be express but can be implied by the acts of digitally signing the transaction documents of the parties;
(b) The digital signature used has legal value, that is[15]:
(i) The digital signature is created during the validity period of the corresponding digital certificate and verifiable by the public key stated on such digital certificate;
(ii) The digital signature is created using the private key corresponding to the public key stated on the digital certificate issued by one of the licensed Certification Authorities[16]; and
(iii) The private key is only under the Signer’s control at the time of signing.
It can be seen that the special validity conditions of digitally signed transactions have quite comprehensively reflected the technical requirements of digital signatures that we have analyzed. If a business uses the digital signature certification services of a licensed Certification Authority who applies the qualified technologies, it is easy to determine (i) that the digital signing is done using the Signer’s private key, and (ii) the public key obtained by the recipient actually belongs to the Signer.
However, on the condition that “the private key is only under the control of the Signer at the time of signing”, we have been asked whether the Signer can make excuses that at the time of signing, the private key was controlled by another person to request the Court to declare the transaction void or not yet concluded. Typically, the Certification Authority will provide a private key storage device to the Signer, and the Signer must undertake that only its competent person can manage and control the device. At the same time, during the process of digital signing, the document will be sent to the emails of the competent persons of the parties for consideration before signing. Combining those factors, we are of the opinion that it is not difficult to gather the relevant evidence (which will mostly be stored on the Certification Authority’s system) to establish that the Signer’s competent person is the sole person controlling the private key at the time of signing. If the Signer asserts that the private key has been compromised and controlled by others, the Signer will bear the burden of proof to such assertion. In addition, Articles 25.2(a) and 25.3 the Law on Electronic Transactions 2005 also stipulate that e-signature signers are obliged to take measures to avoid the illegal use of their electronic signature creation data and to be held accountable to the law for consequences for non-compliance with such provision.
To conclude, we believe that with the qualified application of asymmetric cryptographic systems by licensed Certification Authorities, digital signatures will be a legal, safe solution for businesses to establish electronic transactions that help save costs and time.
Above are some of our opinions relating to digital signatures under Vietnamese law. Please note that this article does not constitute any comprehensive legal opinion for any particular case. Please take expert advice should you encounter related legal issues.
BROSS & Partners is a Vietnamese law firm proposed by Legal 500 Asia Pacific, Chamber Asia Pacific, AsiaLaw, IFLR1000, Benchmark Litigation, with experience and capacity to advise and resolve disputes related to Investment, Enterprise and Commerce, Mergers & Acquisitions, Labor & Employment, Real Estate & Construction, Finance – Banking, Securities, Capital Markets, and Intellectual Property.
If you need assistance, please contact: hoang@bross.vn; Mobile: +84 903 556 119; WhatApps: +84 903 556 119; Zalo: +84 903 556 119.
[1] Article 21.1 of the Law on Electronic Transactions 2005 provides that electronic signatures are created in the form of words, letters, numbers, symbols, sounds or otherwise by electronic means, logically attached or combined with the data message, capable of confirming the signer of the data message and confirming the person’s approval for the content of the signed data message.
[4] Typically, the RSA (Rivest–Shamir–Adleman) protocol and the DHKE (Diffie–Hellman) protocol; Using a public key to calculate the corresponding private key will take many years with the current level of computer technology, according to Paar, Christof & Pelzl, Jan (2010), Understanding Cryptography – A Textbook for Students and Practitioners, Springer, 150-169, 175-179, 194-195.
[5] Articles 75.5 and 76.2 of Decree No. 130/2018/ND-CP do not specify whether the storage, security, and safety protection of the private key are the rights or obligations/responsibilities of the digital signature user. However, Articles 25.2(a) and 25.3 the Law on Electronic Transactions 2005 stipulate that e-signature signers are obliged to take measures to avoid the illegal use of their electronic signature creation data and to be held accountable to the law for consequences for non-compliance with such provision.
[6] Article 3.7 of Decree No. 130/2018/ND-CP.
[7] Article 3.14 of Decree No. 130/2018/ND-CP.
[13] Article 117 of the Civil Code 2015.
[14] Clauses 5.1, 5.2, 23.1 of the Law on Electronic Transactions 2005.
[15] Articles 8 and 9 of Decree No. 130/2018/ND-CP. These provisions appear to be the concretization of Article 24 of the Law on Electronic Transactions 2005, which reads:
“1. Where the law requires a document to be signed, such requirement with respect to a data message shall be considered having been met if an e-signature used for signing such data message satisfies the following conditions:
a. The method of creating the e-signature permits to identify the signatory and to indicate his/her approval of the contents of the data message;
b. Such method is sufficiently reliable and appropriate to the purpose for which the data message was originated and sent.
2. Where the law requires a document to be stamped with seal of the concerned agency or organization, such requirement with respect to a data message shall be considered having been met if the data message has an e-signature of the agency or organization that satisfies the conditions stipulated in Clause 1, Article 22 of this Law and the e-signature is certified.”
[16] Including: (i) The National Digital Signature Certification Authority; The Government’s specialized digital signature certification authority; (iii) Public digital signature certification authorities; and (iv) Specialized digital signature certification authorities of agencies or organizations possessing the certificate of eligibility for securing specialized digital signatures (Article 9.2 of Decree No. 130/2018/ND-CP).