'Going Paperless' Requires an Examination of Digital Document Authentication Options

Going paperless is a concept that has been promised to us for years, if not decades. While some industries, particularly more high-tech industries, have largely managed it, many others lag far behind, still awash in paperwork. Healthcare, insurance, government and legal industries are noteworthy for still carrying on business like it’s 1979.

Part of the problem is that digital documentation can be so easily manipulated. Many industries fear that by going all-digital, they are compromising security, and this is particularly worrisome for industries that are beholden to protect privacy or maintain the legal integrity of documents.

What is required is a tamper-proof method of digitally signing documents, according to a recent article in BizTech. Any solution must allow signatures to be fully verified, establish when the document was signed and ensure beyond reasonable doubt that the data is exactly the same as it was when the document was originally created.

While there are complex algorithms that can be used to authenticate digital files, these aren’t exactly practical for most businesses outside of military intelligence. Many organizations rely on a technology called Public Key Infrastructure (PKI), which involves the use of a public and a private cryptographic key pair that is maintained through a trusted third-party authority. PKI essentially creates digital certificates that can positively identify an individual or an organization and directory services that can store it, and, when necessary, revoke the certificates.

The downside, according to Mike Gault, CEO of digital signature company Guardtime, is that PKI relies on a mixed bag of public and private keys to authenticate users and encrypt data. Digital certificates identify organizations, so directories must be kept concise and up-to-date, certificate and registration authorities are required and the whole system must be managed. Many companies find this process onerous.

Keyless signature infrastructure (KSI), on the other hand, can eliminate many of these problems. (It can also be used together with PKI to add more layers of authentication.) With KSI, writes Gault, cryptographic keys aren’t required to verify signatures. It uses hash function based on cryptography, and the tools required are published publicly. Therefore, anyone can verify signatures to establish the date, time and signing entity and prove that the data is intact without the need of a third party.

So while it seems certain that the paperless life really is in our future, many industries still need to take the technological steps required to enable it. It’s not quite time to get rid of your office paper recycling bin.