Certified Digitization, Certified Digitisation Certified scanning, Electronic Invoice, Electronic Signature, Electronic Certificate. EIDAS, All these concepts are related.
In the development of electronic invoicing regulations, Spanish ORDER EHA / 962/2007, of April 10, which develops certain provisions on electronic billing and electronic storage of invoices, has defined in Spain the concept of Certified Digitization. This blog has been a pioneer in dealing with Certified Digitization since 2006.
Also in english, with some posts:
The homologation procedure has been included in the resolution of October 24, 2007, of the State Tax Administration Agency, on the procedure for homologation of digitization software contemplated in Order EHA / 962/2007, of April 10, 2007 .
In a strict sense, certified digitization was defined for the procedures of the tax field, which would be outside the coverage of Law 39/2015 (eGovernment). However, the implementation of the concept and the large number of available applications make it a de facto standard , also for the public sector.
Certified digitisation is the process of converting paper documents into electronic documents that contain their facsimile reproduction and are electronically signed or sealed. The systems that manage the digitisation must meet certain criteria of integrity and unalterability in the database with which the digitisation is carried out and are required to be audited. The documents digitised with this type of system have the character of originals, so that the paper documents from which they originate can be dispensed with, which is why the legal value of these processes and of the documents to which they give rise is very relevant
Certified digitisation of invoices has led to the birth of the concept that is now also used in relation to public administrations and the digitisation of Justice.
For the certified digitisation of invoices, you can use the different variants of software approved by the Tax Agency that the AEAT also publishes on its website. The provincial councils of Navarre, Biscay, Alava and Guipuzcoa have also published equivalent regulations and have approval procedures similar to those of the Spanish National Tax Agency and have their own lists of approved software.
Electronic signature is regulated in the EU Regulation 910/2014, which is abbreviated as “EIDAS”.
Advanced electronic signature is uniquely linked to the signatory; allows the identification of the signatory; It is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and is llinked to the data signed therewith in such a way that any subsequent change in the data is detectable.
In summary, the advanced signature links the signatory with what was signed.
What is signed many times is condensed in the “Hash” value of the document, which is also a way to guarantee the integrity of the signed document after the advanced signature has been carried out. And the signer can be associated in various ways, with biometrics in the case of non-certificate-based signatures, or with the mathematical operation of the hash with the signer’s private key if a certificate-based signature is applied.
Certificate-based signing uses public key cryptography, also called asymmetric cryptography.
In asymmetric cryptography there are 2 keys that are mathematically linked to each other:
1. Private Key
2. Public Key
What is encrypted with the private key can only be decrypted with the public key, and vice versa.
Hash functions are unidirectional and generate a short string of characters from a document or a long string of characters.
A possible simile would be a sum value: if we transform each character in a string into a number (for example, its ASCII value) and add the values of all the characters in the string, the resulting value depends on the content of the string. IF you change a character, the sum changes. The algorithms used in cryptography are more elaborate so that modifications to the strings that result in the same hash value cannot be made, which will allow the contents to be changed. Therefore, the sum value, although it serves to explain the hash, is not in itself a good hashing method.
Given a document and its «hash», it is possible to check if the hash truly corresponds to that document. However, from the hash it is not possible to deduce the document from which it came. There could be infinities. When two different documents produce the same hash value when calculating with a certain algorithm, a «collision» is said to have occurred.
How does an electronic signature work?
The document to be signed is hashed with a specific algorithm (for example, SHA-256) and the result obtained is mathematically operated with an asymmetric signature function (for example, RSA or ECC) with the private key of the signer (normally the private key resides in a chip card or a cryptographic token, and does not leave it, so the hash is sent to the chip and it is the chip that performs the cryptographic operation). The signature is made up of the result of that operation on the chip (which is sometimes called a PKCS # 1 value), and the signer’s certificate containing their data and the public key cryptographically related to the private one.
If the document and the signature are sent to the recipient (sometimes, the document format used allows the signature to be embedded inside, as is the case with PDF files). It can do the equivalent process in reverse to verify the signature.
Extracts the public key from the certificate, thereby applying the cryptographic function to the PKCS # 1 value from which the Hash value is extracted. Calculates the Hash value of the document and compares it with the value obtained from decrypting the PKCS # 1 signature. Both must be the same. If they are not the same there is a problem somewhere. For example, the document has changed in transmission or has been tampered with.
Therefore, an important effect of the electronic signature is that it guarantees the integrity and inalterability of the electronically signed documents.
The certificate used to sign is issued by a “certification authority” or a “trust service provider”. The issuance of electronic certificates is one of the possible trust services ”and, therefore, a“ certification authority ”is a“ trust service provider entity.
These entities verify the identity of the certificate applicants and after that they issue them an electronic certificate associating the public key of the certificate with a private key that must be secretly guarded by the certificate holder with maximum security.
The Electronic Certificate
The electronic certificates of a natural or legal person are electronic documents that contain information about the issuer, the period of validity of the certificate, the identity of the signer, …
The important thing is that this certificate links the public key with the identity of a specific person and that it is signed by the certification body, which has verified the applicant’s identity documents and their correspondence with the applicant’s characteristics. When the certificate is issued, its link with the private key is also established under the exclusive control of the signer.
Although unqualified certification authorities can issue certificates, in Europe qualified certification bodies, which issue qualified certificates, are preferred .
In Spain there are a significant number of qualified certificate issuing entities , among which we can mention Camerfirma, EADTrust, FNMT (CERES), Ivnosys or Vintegris.
In certain signature modalities (such as AdES – T or long-lived signatures) it is convenient to include information about the moment when the signature was created, which it does by adding a time stamp. Time stamps are issued by the Time Stamp Authority (TSA).
The timestamp shows that a certain combination of data existed before a given time and that none of this data has been modified since then.
In short, for the certified digitization of documents, an electronic certificate is needed with which to make the electronic signature on each of the scanned documents.
This requirement and the guarantee of integrity of the database in which the keeping of the invoice digitization process is managed are the most relevant to pass the audit that allows requesting the approval of the software from the AEAT.
Certified Digitization in the field of Justice.
Within the framework of the Lexnet regulations, the GIS for Certified Digitization has been defined by the CTEAJE (State Technical Committee of the Electronic Judicial Administration).
This standard allows any document to be digitized for presentation in legal proceedings, so it has a special value:
- It is used in the private sector to digitize any document, not just invoices
- It allows you to have digitized documents in case they are needed at any given time for a trial. This used to be the main reason for keeping paper documents: in case they were needed in court.
The requirements for certified digitization in the field of justice are very similar to those required in the tax field:
- Electronic signature of scanned documents
- Protection of the integrity and inalterability of the digitization record database
How do I start a certified digitization process?
To carry out the certified digitization of invoices in a company, it is necessary to have a software approved by the AEAT or by any of the foral estates of Alava, Guipuzcoa, Navarra or Vizcaya.
In order for the software to be able to carry out an electronic signature on each scanned invoice, it must be equipped with a qualified certificate. The current trend is to equip the software with a qualified legal entity certificate, in which case the resulting electronic signatures are called “qualified electronic seals” if they are managed in a device called “Qualified Seal Creation Device” (equipment that is also called HSM «Hardware Security Module»).
It is possible to carry out “certified digitization” or “guaranteed digitization” processes in the context of public administration, for which several of the Technical Interoperability Standards apply . In particular, that of authentic copy, that of digitization, that of signature policy and that of electronic document.
The ValidE portal provides some tools to validate electronic signatures and certificates. The EADTrust DSS tool also provides a lot of information about the certificates and signatures of electronic documents, whether or not they are the result of certified digitization.
Perhaps someone asked this question: is it necessary to start from the printed invoice document to be able to scan it in a certified digitization process or can an invoice received in pdf format be electronically signed?
The answer is given by ORDER EHA / 962/2007, of April 10, which develops certain provisions on telematic invoicing and electronic conservation of invoices in the different articles of which it consists.
Certified scanning can only be done from paper documents.
However, considering that the issuer and receiver can reach an agreement that the issuer of the invoice acts by sending “pre-invoices” in PDF format to the receiver and that the receiver converts them into electronic self-invoices by adding the electronic signature, the fundamental requirement of the electronic invoice, which is your electronic signature. The regulations allow invoices to be managed by the recipient (self-invoice) or a third party on behalf of the invoice issuer, who is usually the one who adds the electronic signatures or electronic stamps.
What to do if the device containing the electronic certificate is lost or stolen
In case of loss or theft of the device in which the private key associated with the electronic certificate is housed, it is necessary to request the revocation of the certificate by going to a Registration Authority of the Certification Authority that issued the certificate. Some certification authorities offer the possibility of remote revocation, using codes that were provided at the time the certificate was issued.
For example, EADTrust has a specific page and a form to request the revocation of the certificate .
Outsourcing of certified digitization processes
When a process is not focused on the core business of a company but can pose a significant administrative burden due to its volume, many entities resort to business process outsourcing (BPO).
A Certified Digitization service performed by third parties or a Remote Electronic Seal service managed by a qualified digital trust service provider can help in these cases.
Article 7 of Order EHA / 962/2007 indicates:
«This digitization process must meet the following requirements:
a) That the digitization process be carried out by the taxpayer himself or by a third party provider of digitization services , in the name and on his behalf, using in both cases software of certified digitization (…)
b) That the digitization process used guarantees the obtaining of a faithful and complete image of each digitized document and that this digital image is signed with an electronic signature in the terms of the previous articles of this Order based on an electronic certificate installed in the scanning system and invoked by the certified scanning software.This certificate must correspond to the taxpayer when the certified digitization is carried out by himself or to the digitization service provider in another case. «
Advantages of Certified Digitisation
These are some of the advantages of Certified Digitisation:
- Saving time in the search for documents, since, as they are documents in electronic format, searches can be generated by keywords.
- Increase the efficiency and productivity of employees by saving time in filing and searching invoicess, reducing errors.
- Frequently digitization allows incorporating the information of the invoices in the accounting or ERP system.
- By having digital documents managed by computer software and stored in a secure repository, decision-making is streamlined by being certain that all the information is available.
- Saves storage space by not having to guard paper documents and saves other costs related to archival material
- It facilitates the adoption of repetitive procedures with the environment and, indirectly, helps to pass a possible ISO 14.001 type audit
Give us a call
You can contact EADTrust by calling +34 917 160 555 if you need help to homologate a certified digitization software to be approved by Spanish Tax Agency or if you need electronic certificates to be used in Spain or Europe.