Topics that include the word “biometrics” in them are very popular today and are the focus of much attention. However, biometrics as such is, in and of itself, a very broad and general term. Under the broader rubric of biometrics, we could include facial recognition, iris recognition, fingerprints, palm prints and hand geometry, DNA and even voice recognition and a person’s manner of walking. In this article, the focus will be on biometric signatures – and, more specifically, on biometric handwritten signatures.
Biometric signatures (sometimes referred to as dynamic biometric signatures) are a digitally processed version of the common handwritten signature, something which people get accustomed to from the moment they learn how to write. When we refer to a digital version of a biometric signature however, there are many advantages over the standard handwritten signature. These would include the ability to capably sign electronic versions of documents without the need for a paper copy, the ability to analyze the static and dynamic nature of a signature in real time and the saving of overhead costs related to the processing and storage of paper documents, etc.
Biometrically signed documents
Today, it is possible to sign any electronic document (i.e., a purchase order, application, contract, invoice, letter, etc.) with an electronic signature. This electronic digital manner of document origination replaces the traditional way of working with documents in a paper form. And, in practical terms, we no longer need to have a paper copy of a document that we will sign with a fountain or ballpoint pen. Instead, we can open up the digital document (usually in a PDF format) and just add an electronic signature to it.
Fig. 1: Biometric signature on a tablet
A biometrically signed document is actually signed in a very traditional way – the biggest difference being no paper. To biometrically sign a document, a special pen (or pencil) is used rather than a mouse or keyboard function. What is also needed is a so-called ‘SignPad’ or signature pad, something which is sometimes available on tablets.
From a technical point of view, a biometrically signed document extends the concept of an electronically signed document with the use of an additional security feature – the biometric data (signature) itself. This data includes information about other features and characteristics of a person’s ordinary signature, which are often not at all apparent to the person doing the actual signing. These features and characteristics are not readily apparent in the graphical representation of a signature and they are very difficult for a forger to replicate. These include the following:
As a result, a biometrically signed document contains, in addition to the data itself (i.e. what we see on our monitor screen), a wealth of additional information that helps to verify who the actual biometric signer of the document is and was. We can also determine if the document has been altered in any way after the signature was appended to it. Notwithstanding these benefits, on its own, a biometric signature does not prevent the following:
How is a signature?
The following describes the method used to biometrically sign a document:
1. The document is signed by hand using a special device. The signature image can be displayed on any part of the document. The related biometric data of the signature is asymmetrically encrypted and also saved into the document.
2. From the contents of the document (both the visual data + the encrypted biometric data) is generated the so-called ‘hash’ using a special hash function, such as SHA-2. One can think of this ‘hash’ as a mathematical fingerprint of the document.
3. A second hash is generated (calculated) from the first hash and the raw biometric data, and this second hash is also attached to the document.
4. The first hash, which was generated, is encrypted with the private key of the party that issued or generated the document (e.g. an RSA algorithm). This first hash creates an electronic signature.
5. This electronic signature is inserted into the document and can be sent to the recipient.
6. Using a public key, the recipient can then key verify that there has been no alteration to the contents of the message before its delivery into the hands of the recipient.
It is possible to verify that the contents of an electronically signed document have not been altered. The process is simple and consists of comparing the hash that was created at the time of the document’s generation and sending with the hash that can be obtained by decrypting the document’s electronic signature with a public key. If both of these hashes are identical, the document will have been the original document and have not been changed. It will be valid for whatever is and was its intended use.
Fig. 2 : Biometric signed document
Today’s insitutions…
Today, a typical business relationship would proceed as follows: a seller (retailer) would talk with a prospective client or customer (buyer) about their needs or desires and to conclude a related transaction, a contract or agreement would be drawn up and entered into between the two parties. With the use of the business systems of the seller, a command is entered to generate the transaction document and two copies are printed out (one copy for the seller and one for the client). After being approved by each party, the document is signed by both of them. The client retains and takes one signed copy with them and stores it somewhere. The second signed copy is retained by the seller at their branch store and/or it is prepared for submission to a central document repository, where it is cataloged and stored for further use (warranty claims, lawsuits, etc.).In addition to the archiving of the original document, a scanned digital copy of the document is created for general daily use and reference purposes (making it unnecessary to have the original document in a local file).
… and institutions established biometric signature
Let us imagine the exact same situation as described above. The seller (retailer) would talk with a prospective client or customer (buyer) about their needs or desires and generate a document to memorialize their agreed transaction. However, in this case, the contract or agreement is not generated in a paper form; but rather, electronically generated on a view screen. After each party reads over the respective document, they verify their approval of its contents by using special equipment to attach their biometric signatures to the document. After being signed by both parties, the document is locked. The electronic original is ready for sending to the client. Because this is a sensitive data, the document must be sent to the client through a secured channel (internet banking, client portal, data box, possibly even an encrypted email). For more conservative clients, it should be possible to also print out a copy of the document. At the same time, a second original of the document is stored into the so-called electronic archives of the business (seller). These electronic archives are used to store the electronic original versions of documents that contain sensitive encrypted biometric data. Access to such archived information is normally very limited. For routine work, an electronic ‘scan’ of the original document, without any of the encrypted biometric data, should suffice.
The benefits of introducing biometric signatures
Many companies in various fields has been working with biometric signatures and their processes are used. For those who biometric signatures before considering implementation, there is a conclusion some advice on what to look for and what to remember:
Fig. 3: The Architectural Concept
Source : Unicorn Systems