Why is it required and how does it work theoretically?

Our electronic documents are threatened by the following:

  • unauthorized access: an unauthorized person gets insight into the document,
  • modification: during unauthorized access, uncontrolled modifications occur,
  • feigning: the sender or receiver of a message pretends to be someone else,
  • message denial: : the sender / receiver of a message denies the fact of sending a letter or denies its content,
  • message multiplying: the re-sending of a message multiple times .

As a safety countermeasure public key coding technology can be used, which provides two basic functions: encryption and the creation of electronic signatures.

The operation of the technology will be supervised by certain organizations, process regulations and devices which are collectively called Public Key Infrastructure.

To implement public key infrastructure, a key-pair and a certificate is required. The key-pair is a device, by which electronic signature can be created, and encryption algorithms can be executed. The key-pair consists of a private key and a public key. The public key is accessible for everyone, while the private key is owned solely by the creator of the electronic signature. If a document is encrypted by one of such keys, the decoding can only be done by using the counterpart of the key, thus the relation between the two keys are only proved by this, and there are no other ways to acquire information about the other key.

During encryption the sender creates their letter then encrypts it with the public key of the receiver. The encrypted message reaches the addressee through the Internet and can only be decoded (due to the key-pair operation) and read by using the private key of the receiver.

During electronic signing the sender makes a so-called hash of their own letter. From the hash, the message cannot be acquired, but the hash will be fully modified to the slightest modification to the hash. The sender will encrypt this hash with their own private key, the result of which is called electronic signature.

A cornerstone of the system operation is that a trustworthy third party undertakes to guarantee that each key-pair pertains to only one signer – for this purpose the certificate is used. The issuing and handling of the certificates are done by the certificate provider.

The certificate provider is an organization specialized on certificate issuance that undertakes to competently identify possible signers within a certain geographic area by using methods based on the comprehensive knowledge of the area’s legal, administrative and economic system, and to warrant these signers to the whole world also with the legitimacy of their data. The protection of the private-key of the provider is a primary task of the system, as the provider will authenticate – electronically sign – the issued certificates.

The certificate provider verifies its own existence by certificates released for own purposes. The confidence pertaining to the so-called main certificate is built on conventional business politics methods – just like at financial institutions, the most important of which are the following: transparent, stable operation with strong financial support; highly competent administrators with clean sheet; auditing, and the publication of their results; promotion into the international authentication provider list; liability insurance; and providing financial refund for damages caused by certificate abuse.


The classes of NetLock certificates

The “M” class (Qualified) certificate is certificate issued solely to natural persons whose identity is identified by the certificate provider through notary identification steps. The use of “M” class certificates are recommended at high value financial transactions; performing of administrative procedures; verification of exchange of messages as the result of financial flows or of the creation of official regulations. A qualified certificate can only be issued as personal or administrative signature type. The refund limit of liability insurance is 10 million Hungarian Forints.

The “A” class certificate is issued for persons, organizations or servers, the subjects of which are identified by strict identification steps by the certificate provider, with involving notaries. The use of “A” class certificates are recommended at high value financial transactions; verification of exchange of messages as the result of financial flows; and contracting. During the course of registration, the personal or organizational data is only accepted with notary verification. The refund limit of liability insurance is 5 million Hungarian Forints.

The “B” class certificate is issued for persons, organizations or servers, the subjects of which are identified by strict identification steps by the certificate provider. The use of “B” class certificates are recommended at electronic mailing; transactions of intermediate risks; online services; and verifying software sources. During the course of registration, the certificate provider demands personal appearance from the signer and presentation of their original document to prove their eligibility for issuance. The refund limit of liability insurance is 500,000 Hungarian Forints.

The “C” class certificate is issued for persons, organizations or servers, the subjects of which are identified by limited identification steps by the certificate provider. The use of “C” class certificates are recommended at electronic mailing and transactions of low risks. During the course of registration, verification is done on the basis of the photocopies of documents. The refund limit of liability insurance is 50,000 Hungarian Forints.

As a FREE SERVICE, test certificates can be used for technical testing of the service.


Certificate types

Personal signing certificate: can be issued for natural persons in their own name, solely for creating electronic signatures (Q, A, B, C, T classes).

Personal encryption certificate: can be issued for natural persons in their own name, solely for encryption (A, B, C, T classes).

Administrator signing certificate: can be issued for natural persons pertaining to a certain organization (Q, A, B, C, T classes).

Administrator encryption certificate: can be issued for natural persons with conditions same to the latter type (A, B, C, T classes).

Organizational signing certificate: can be issued for legal persons (A, B, C classes).

Organizational encryption certificate: can be issued for legal persons, with conditions corresponding with the organizational signing certificate (A, B, C classes).

SSL certificate: can be issued for natural or legal persons owning a domain name or providing servers, for designing secure communication with web servers (A, B, C classes).

VPN certificate: can be issued to natural or legal persons providing VPN adapters (i.e. router) for supporting connection between LANs at open networks with encrypted data channel servers (A, B, C classes).

WAP Gateway certificate: can be issued for persons providing WAP Gateway servers or legal persons, for designing secure WAP communication (A, B, C classes).

Login certificate: a certificate used for logging into LAN networks and PC-s (can be requested through Chained Certificate Authority).

IPSEC certificate: Encrypts dataflow of LAN networks (can be requested through Chained Certificate Authority).

Chained Certificate Authority: : the system consists of two elements, which are the regulations containing processes for issuing and handling certificates and the technical infrastructure required for issuance (hardware and software).

A rendszer felépítését beüzemelésének és használatának módját a NetLock Kft. írja elő a megrendelő szervezet által megadott költségvetési lehetőségek, meglévő infrastrukturális eszközök és alkalmazott eljárások maximális figyelembevételével, a megrendelővel folytatott egyeztetést követően.

A rendszer akkor válik tanúsítványkiadásra alkalmassá, amikor a NetLock Kft. által kibocsátott rendszerhitelesítő tanúsítványt feltöltik. Ekkor a szervezet, a rendszer és a tanúsítvány birtokában olyan végfelhasználói tanúsítványok kibocsátására válik képessé és jogosulttá, melyek elfogadási köre mindenben megegyezik a NetLock Kft. által kiadott tanúsítványokéval.

Az üzemeltetési jogért havonta licencdíjat kell fizetni a kibocsátott tanúsítványok számától függően.


The process of timestamping

The aim of timestamping is to ensure that the given document (electronic data set) had certainly already existed in a certain specified time. The three requirements of timestamping are the following:

  • the data set must be timestamped;
  • it must be guaranteed that the data set cannot be changed without the danger of exposure;
  • it must be guaranteed that a document cannot be timestamped in the way that its date and time information is not in accordance with the current time;

The timestamping transaction consists of message exchange. The first message is sent by the entity requesting timestamping (a private individual or company) to the organization carrying out the timestamping (timestamping-provider); this message is called a timestamping-request. The second message is the reply of the timestamping-provider to the request, which is the timestamp itself.

The timestamping request contains the hash of the document that is requested to be stamped. In the reply, the timestamping-provider attaches at least two reference time data to the hash and signs these electronically, then sends these back to the customer.

The existence of the document in the moment of the placement of the stamp is proved in the case of timestamped documents by physical writing; and in the case of electronic documents with qualified timestamps by private documents representing conclusive evidence.


Devices for key storing

The most effective way known today to protect private keys is the creation, usage, and storage of them in key-storing modules.

The intelligent cards follow the standard of casual credit cards with magnetic strips, and on their surface there is a contact similar to those seen on telephone cards.

The USB Tokens can be connected to PCs on the USB port. Their outer manifestation and application as hybrid devices are unconventional. The following paragraph contains the most important attributes of both device types.

The private key is created in the device within secure environment. The safety of different devices are supervised by international audit companies (FIPS, CEN, etc. certifications). The private key will not leave the device during usage (the creation of digital signatures, the decoding of encryptions), and it cannot be copied by any means from it. The key is protected with PIN code and password, the invalid entry of which entails the lock-up of the cryptographic device. Most of the devices contain codes (sometimes multi-level codes) for unlocking.


About electronic signature legislation

The most important of concepts defined by law and of applied concepts are the electronic signatures and the paragraphs defining categories of electronic documents. The transactions initiated on open networks and transactions – now entailing significant financial flows – will be adopted to existing additional conventional legal regulation system, and as a consequence will the pertinent legal warrants and constructions that have already worked at their conventional equivalents be connected to them.

The legislation of electronic signatures makes distinction between:

  • Simple electronic signatures, the creator of which cannot be specifically identified, or cannot be determined whether the signed document has changed since the placement of the signature.
  • Advanced security electronic signatures which are created by the signing device solely under the influence of the signer, and are an electronic set of data that make the identification of the signer and its integrity possible.
  • Qualified electronic signatures which are advanced security signatures that authenticate certificates which were issued by qualified certificate provider.

The most significant consequence stemming from legislation is that any electronic document with electronic signature qualifies as private document representing conclusive evidence if the certificate of authenticity verification is issued by a qualified certificate provider.

Contact our Customer Service with questions.