Here you can find all frequent questions and answers on generic issues regarding the use of digital certificates and electronic signatures.
In the context of Public Key Infrastructure (PKI), a key pair is a unique combination of keys, and specifically a combination of a public and a private key that are mathematically connected and provide, among other, asymmetrical encryption between them.
A private key is a key used by the signer for the creation of an electronic signature. In a key pair, the private key remains secret and is exclusively controlled by its owner.
A public key is used to verify electronic signatures. In a key pair, the public key is associated with the private key. The public key is freely accessible by others for the verification of a digital signature, for example.
A certificate is the digital confirmation that associates signature verification data (public key) with a specific person and verifies this person's identity.
A certification service provider is a natural or legal person, or other entity, that issues certificates or provides other services related to electronic signatures. For the certificates issued by a certification service provider to be qualified, the provider must be certified according to international standards and be registered with the Greek National Telecommunications & Post Commission (EETT).
A qualified certificate is a certificate that meets the relevant legislation requirements and is issued by a certification service provider that fulfills the legal requirements and has been registered in a list of qualified digital certificate providers (such as the Greek National Telecommunications & Post Commission - EETT), for utilization in advanced electronic signatures.
An electronic signature is a set of electronic data that are attached to other electronic data, or logically associated with such data used as proof of authenticity for electronic signatures.
An advanced electronic signature or digital signature is an electronic signature that meets the following requirements:
1. It is uniquely associated with the signer
2. It can determine the signer's identity in a unique and exclusive way
3. It is created through media that are under the exclusive control of the signer, and
4. It is connected to the data it refers to, so that any future data alteration can be traced.
Advanced or qualified digital signatures use qualified digital certificates.
A qualified signature creation device is a USB token that is different than the memory sticks we all use for storing files, photos etc. A USB token (or TOKEN) has an embedded cryptographic chip that stores the owner's private keys (qualified digital certificates) in the most secure way. In order to use a USB token, you need to insert it in a USB reader.
A secure signature creation device may be a USB token, so that it can be easily connected to a USB port in a desktop or laptop. A secure signature creation device can also be a smartcard (such as credit cards that have a chip), in which case you need to have a specialized reader connected to your computer.
This device meets all the requirements (technical and legal) and its use is mandatory based on the international standards and the legislation on qualified digital signatures that, according to the law, are equally binding with hand-written signatures.
The use of a qualified signature creation device is simple. The qualified signature creation device is inserted in a USB port that works as a reader.
In order to unlock the qualified signature creation device and use the keys stored in its chip, you need to enter a PIN. In other words, the operation of qualified signature creation devices is similar to that, of credit cards.
You need to enter your PIN when you want to digitally sign a text.
Public Key Infrastructure is the most secure technology protecting transactions between different parties by taking advantage of all public networks, including the Internet.
This technology is being used for some decades now (also called asymmetrical encryption) and has been established both in the European Union and in Greece. Since 2001, Greece has passed the relevant legislation ratifying the PKI technology as acceptable and stipulating that qualified digital signatures are legally equal to hand-written ones.
For this reason and for the protection of users, there are international standards, referenced in the legislation, that ensure that a qualified (or advanced) digital signature on an electronic message, file, etc. is legally equal to a hand-written signature on a printed document.
The Public Key Infrastructure is based on the following:
• The authority that issued the digital certificates stored in the qualified signature creation device. This is also called Trust Center or Trusted Third Entity.
• The user (or subscriber) that possesses one or more digital certificates issued by the Trusted Third Entity, stored e.g. in a qualified signature creation device.
• The applications using the certificates for authentication or digital signatures.
A Certification Authority is a software and hardware combination that includes crypto machines that create certificates in accordance to the international standards for PKI technologies. Certificates can also be created by qualified signature creation devices, that is by the cryptographic chip embedded in the TOKEN.
In PKI, certificates are created in pairs, i.e. a private and a public key. The private key is protected and used in operations such as digital signatures. On the contrary, the public key is known and can be used by any person for tasks making use of this person's private key, e.g. for authenticating a digital signature.
For example, if an electronic message or document has been signed with the private key of a user, you should use the corresponding public key of the user to determine the authenticity of the signature.
PKI is the safest technology available, provided that all international standards and safety regulations are met.
The Greek National Telecommunications & Post Commission (EETT) is responsible for ensuring that the providers of qualified digital certificate comply with the European and the Greek legislation, and follow the international standards, instructions and orders issued by EETT.
Furthermore, EETT maintains a list with the providers issuing certificates and the class they belong to, based on their certification. The most well-known and strict international standard that a provider issuing qualified digital certificates for qualified digital signatures can be certified by is the so-called "Web Trust" standard.
Byte's Trust Center, which issues qualified digital certificates, is certified according to the Web Trust standard and is included in EETT's list as a provider of the highest class, which means it can issue qualified digital certificates that are legally as binding as a hand-written signature.
A signer or a subscriber (or, otherwise, "certified party") is a natural person that owns a qualified digital signature device and acts on his/her own behalf. This is the person that applied for a certificate and, after the required ID verification process, acquired such certificate by the certification service provider, stored in a secure qualified signature creation device, i.e. a USB token.
The Public Key Infrastructure is widely accepted as the safest and, today, the most highly effective technology pertaining to electronic transactions. Digital certificates focus on confidentiality, integrity and validation issues, so that the end-users can communicate and exchange information in a safe and reliable environment.
The Public Key Infrastructure for electronic signatures is deployed and works in steps, such as:
• Step 1: The user gets a certificate from the Public Key Infrastructure that is based on a pair of keys, after submitting a relevant request to the certification authority of a digital certificate provider.
• Step 2: The registration authority collects all the necessary information in order to verify the end-user's identity, and then approves the request for issuing personal digital certificates.
• Step 3: The registration authority accepts or rejects the request, depending on whether all relevant requirements are met. For example, if there is no available (or legally submitted) ID copy (e.g. identity card or passport), the request will be rejected.
• Step 4: The certification authority of a qualified digital certificate provider creates the digital certificates for the end-user and notifies him/her about when and how they can be used.
1. You can apply for a qualified digital signature creation device and digital certificates by filling out the relevant online form.
The address on the application form should be where the end-user/applicant will be in order to collect, in person, the qualified digital signature creation device (and sign the delivery note). You will need to enter a mobile phone number, where you'll receive a notification when your certificates are issued and the PIN code for your qualified digital signature creation device. At this point, it is not possible to issue digital certificates without a mobile phone number.
2. Your request will be examined and approved/rejected by Byte, in its capacity as a registration authority. For example, any requests that do not include a delivery address for the qualified digital signature creation device, VAT number, mobile phone number, etc. will be rejected. Once your application is approved by the registration authority, it will be transferred to the certification authority, i.e. Byte's Trust Center.
3. The certificates will be issued and safely stored in a qualified digital signature creation device that will be sent to the applicant by registered mail.
4. The applicant will also receive a SMS notifying him/her about the expected delivery of the qualified digital signature creation device by registered mail. This SMS will also include the PIN code for the qualified digital signature creation device, that will have to be later changed by the user.
5. Upon the delivery of the qualified digital signature creation device, that the user must collect in person, they will also need to provide a copy of their ID (both sides) that will be checked against the original. Furthermore, the user will need to sign the application form and insert the delivery date.
If the user fails to provide an ID copy or does not sign the application form, the qualified digital signature creation device will not be delivered, due to non-compliance with the legal requirements and the EETT orders on identification upon the delivery of a qualified digital signature creation device.
The only additional task you need to perform is install the driver for the qualified digital signature creation device in your computer.
The driver varies depending on your operating system. At http://bytepki.byte.gr/, you can find drivers for all popular operating systems (Microsoft Windows, Linux, Apple Mac). You can download and use these drivers by following the corresponding installation instructions (see immediately below).
After installing the driver for the qualified digital signature creation device, just connect your qualified digital signature creation device in a USB port and enter your PIN, when prompted, so that you can begin using your certificate (authentication, digital signature).
All tokens, and USB eToken-5100 in particular, are manufactured by SafeNet. You can see the supported operating systems at http://bytepki.byte.gr/.
First of all, you should revoke the existing digital certificates. This is done by the Trust Center, following the subscriber's request. In cases of emergency, e.g. if you lose both your qualified digital signature creation device and your PIN, there are special instructions you need to follow. (Please note that you should never keep your qualified digital signature creation device with your PIN, e.g. by writing the PIN on the device.)
For instructions regarding the change of your PIN code, based on your operating system, please visit http://bytepki.byte.gr/. It should be noted that these instructions apply only to the SafeNet USB Token (qualified digital signature creation device) that was delivered to you.
The PIN code is known only to the user (subscriber) that received the qualified digital signature creation device. Users can change their PIN codes as many times as they want, following the process described below. For security purposes, the Trust Center does not know your PIN code and will not be able to help you, e.g. if you forget it. In such a case, you'll need to ask for a new PIN code to be issued.
Usually, certificates are valid for one year. You can check the date that your certificates were issued on, as well as their expiration date.
The process is quite simple:
Insert your token in a USB port.
Open the Certificate Manager by clicking the Start button, typing certmgr.msc in the search field and pressing the Enter key. (You may asked for the administrator password.)
Select the Personal > Certificates folder. On the right side, you'll see your personal certificates that are stored in the USB Token, along with information on their expiration date and the purpose for which they were issued. Please note that Secure Email is related to generic document signing.
If you want to see more information about a certificate, just double-click the certificate name. The below window will appear. In the Details tab, you can find all the information about this particular certificate. As you will see, there is a wide range of available information about any certificate, including the name of the owner, the authority that issued the certificate, the date it was issued on, its duration, its status (valid or not) based on the expiration date that is noted in the certificate (but not if revoked for any other reason), etc.
In the Certification Path tab, you can use the certification authority that warrants and has certified the particular certificate.
As mentioned elsewhere as well, before using your digital certificates, you need to install in your computer the software provided by SafeNet, the manufacturer of the qualified digital signature creation devices. This process need to be done only once for every computer where you'll be using your digital certificates (authentication, digital signatures). You can download SafeNet's software (client) from http://bytepki.byte.gr/.
The software varies depending on the supported operating system. You can also find installation instructions that you'll need to follow during the installation process.
No. Certificates are issued with an extremely secure method and only once. Backup copies are not allowed. According to international standards, (personal) certificates are securely stored only in qualified digital signature creation devices.
|ΑΕ (RA)||Αρχή Εγγραφής (RA)|
|Α.Δ.Α.||Αριθμός Διαδικτυακής Ανάρτησης|
|ΑΠ (CA)||Αρχή Πιστοποίησης (CA)|
|ΑΠΔΠΧ||Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα|
|ΑΠΕΔ||Αρχή Πιστοποίησης Ελληνικού Δημοσίου (ΕΡΜΗΣ)|
|ΔΔΤ||Δημόσιος Διαδικτυακός Τόπος|
|ΕΔΔΥ (QSCD)||Εγκεκριμένη Διάταξη Δημιουργίας Υπογραφής (SSCD)|
|ΛΑΠ ή ΚΑΠ||Λίστα ή Κατάλογος Ανακληθέντων Πιστοποιητικών (CRL)|
|ΟΤΣ||Όροι Τρίτων Συμμετεχόντων|
|Ο.Χ.Π.||Όροι Χρήσης Πιστοποιητικών|
|ΠΑ (OID)||Προσδιοριστής Αντικειμένου|
|ΠΚΑ ή PIN||Προσωπικός Κωδικός Αναγνώρισης (του συνδρομητή - PIN)|
|ΠΠ (CP)||Πολιτική Πιστοποιητικών (CP)|
|ΠΠΔΔΤ||Πλαίσιο Πιστοποίησης Δημόσιων Διαδικτυακών Τόπων|
|ΠΥΠ (CSP)||Πάροχος Υπηρεσιών Πιστοποίησης (CSP)|
|Τ.Π.Ε.||Τεχνολογίες Πληροφορικής και Επικοινωνιών|
|ΥΠ.ΑΠ.||Υποκείμενες Αρχές Πιστοποίησης (subCAs)|
|ANSI||American National Standards Institute|
|CPS||Certification Practices Statement|
|CRL||Certificate Revocation List ( or LRC)|
|CPS||Certification Practices Statement|
|EEET||Hellenic Telecommunications and Post Commission|
|ETSI||European Telecommunications Standards Institute|
|HSM||Hardware Security Module|
|OCSP||Online Certificate Status Protocol|
|PIN||Personal identification Number|
|PKI||Public Key Infrastructure|
|QSCD||Qualified Signature-Creation Device|
|S/MIME||Secure multipurpose Internet mail extensions|
|SSL||Secure Sockets Layer|
|TSA||Time-Stamping Authority (the same as EVC)|
|TLS||Transport Layer Security|