Introduction
There are times that people use signatures to the pen,stamps, stamps and the like to prove the authenticity of documents, to express agreement with agreements, declare responsibility and so on. Today, many of these actions should be made from the Internet. But, how to ensure the authenticity, to express agreement or to declare responsibility in the media online? That is where that comes into play digital certification.
This type of resource is being used by governments, businesses of all ports and other institutions to ensure validity legal authenticity and integrity of the transactions carried out by the Internet. Such as the digital certification allows this? In that situation use it? What is your relationship with concepts such as digital signature? Is the what you will discover in the next lines.
What is Digital Certification?
The Internet allows individuals, companies, governments and other institutions to perform a series of procedures and electronic transactions quickly and need. Thanks to this, it is possible to close business, issue or receive documents, access or to make available sensitive information, decrease processes bureaucratic, etc., all of the online mode.
However, in the same way that offer resources to all of this and more a little, the electronic means can also be used to fraud or tampering, which means that the transactions, when carried out by way of electronic, need to be reliable and secure. The certification digital is able to meet this need.
So, in essence, what is digital certification? Digital certification it is a kind of identification technology that allows electronic transactions of more various types are carried out considering the aspects of integrity, authenticity and confidentiality, so as to avoid that tampering, traps private information or other types of actions improper to occur.
How digital certificate works?
The digital certification works on the basis of a document electronic called digital certificate. But, to understand the the function of this feature, you may want to study before another concept: the digital signature.
What is digital Signature?
Imagine that you are traveling for business and need to send sensitive documents to the company headquarters. Given the distance, the quickest way to do this is to using the internet: in a matter of seconds the documents arrive at destination.
Now, think about the following: if you chose to send the documents so printed, certainly would sign these papers to the pen to prove the authenticity and strengthen its responsibility on them, right? In addition, you you would most likely use a delivery service, safe and would instruct the courier to leave the documents with just people authorized.
But you are far away and must deliver these documents by Internet. How to put into practice the measures to attest authenticity and responsibility on these documents if all you have are electronic files?
Scan your signature using a scanner is not a good idea, after all, anyone can change it in image editing software. Send the documents without no type of protection via e-mail is also risky, because people with enough knowledge about the means of transmission can intercept them without you realizing it. The way is to use a digital signature.
The digital signature is nothing more than a mechanism the email makes use of encryption, more precisely, of the cryptographic keys. Explaining in a few words, the encryption is a process that encodes (or encrypts) digital information so that only the sender and the the receiver can access the data present there. You can learn more about encryption here the same in AbbreviationFinder.
Cryptographic keys — public and private
Cryptographic keys are, in few words, a set of bits based on an algorithm that has rules as well certain to cipher and decipher information. You can use symmetric keys or asymmetric keys — the latter are more known as keys public.
Symmetric keys are simpler, since with them the the sender and the receiver use the same key for, respectively, encrypt and decrypt the protected information.
The asymmetric mode, in turn, works with two keys: private key and the public key. Both are generated from the joint, therefore, is directly associated with to the other.
To understand the asymmetric mode, assume that you have these keys. It is necessary to make one of them for people, businesses, and other organizations to send sensitive information to you. This is the key public. The second key, the private, should be used to that you decipher the data and have access to the information that you sent with the public key. The the private key is, consequently, sensitive and individual.
Confidentiality and authenticity
This layout of keys considers two important aspects: confidentiality and authenticity. The first consists in making the information is accessible only to persons or authorized organizations; the second, in ensuring that the receiver that the information comes from the source and form expected.
With regard to confidentiality, it is necessary to the sender has the public key of the recipient. Through appropriate algorithms, the document is then encrypted under that public key. From there, the the receiver uses the corresponding private key for decryption, and subsequent retrieval of the information.
Note, however, that any person who has the key the public can send information. As so know that this comes, indeed, from a certain source? For so, that is, to give the segment to the aspect of authenticity, it is necessary to use a procedure somewhat similar: the issuer also makes use of its private key to encrypt the information.
Based on this, the receiver must use the key public from the sender to the decryption. Note that, with this, the the recipient can be sure that the information that has come to it comes from the source expected, because only this has the private key that recorded the content.
Integrity
It is just this that we need to have the digital signature? Not. It is necessary to consider the use of that it is known as a hash function, which serves to aspect of integrity. In a nutshell, this feature is a procedure cryptographic by which must pass the information to be transmitted. The result obtained is a unique code called a summary or hash. The the generated code for that information is always the same, regardless of the volume of data handled.
The digital signature consists in the use of the hash function along with the document to be transmitted and in application schema keys. In the process of conference, you should calculate the hash, and perform the decryption with the the public key of the issuer. If there are changes in the information, can be very small, these changes will make the hash be different. Hence the parties involved you will know that the document can, for example, have been tampered with.
What is Digital Certificate?
Now that you already know what is digital signature, it becomes easier to understand the concept of digital certificate. Basically, this is an electronic document with signature digital that contains data such as the name of the user (which may be a person, a company, an institution, etc.), entity station (you’ll learn more about this later), within validity and public key. With the digital certificate, the part interested get the assurance relating to the the person or entity expected.
An example of the use of digital certificates comes from the banks. When a person accesses their checking account via the Internet, digital certificates are used to ensure to the client that he is conducting financial transactions with your bank.
If this person click on the corresponding icon in the browser the Internet, you can get more details about the certificate. If there is a problem there — the period of validity of the certificate has expired, for example — the browser will alert the user and, depending on the application, will prevent transactions until everything is resolved.
Types of certificates ICP-Brazil
The ICP-Brasil working, essentially, with two categories of digital certificates: A and S, each of which is divided into four types: A1, A2, A3, and A4; S1, S2, S3 and S4.
The certificates of category A tend to be used for the purposes of identification and authentication. You you can use them to sign documents or to validate electronic transactions, for example. Already category S is directed the activities of undercover, as the protection of confidential files.
Here are the main features that make the versions both categories differ from each other:
– A1 and S1: generation of keys is made by the software; keys minimum size of 1024 bits; the storage device as HDs and usb stick; valid for a maximum of one year;
– A2 and S2: generation of keys is made by the software; keys minimum size of 1024 bits; storage card smart (with chip) or token (USB device similar to a usb stick); valid for a maximum of two years;
– The A3 and S3: generation of keys made for the hardware; keys minimum size of 1024 bits; storage card smart or USB token; valid for a maximum of five years;
– The A4 and S4: generation of keys made for the hardware; keys minimum size of 2048 bits; storage card smart or USB token; valid for a maximum of six years.
The certificates A1 and A3 are the most used, with the the first type is usually stored on the computer the applicant (as a rule, is integrated into the browser Internet), while the second is stored on cards smart (smart cards) or tokens protected by password.
You may want to mention also the certificates of type T. This category describes certificates of time (timestamp), which attest to the time and date in which a document has been digitally signing, in addition to confirm the the identity of the sender.
Certificates of time, also called time Stamp of the Time, should be issued by a Certifying Authority of the Time (ACT), in accordance with the rules of ICP-Brazil. Among them are the Box Econômica Federal and the Valid Certificates Digital.
Validity
Have you noticed that the certificates have a term of validity. They are not like documents in the conventional (RG and CNPJ, for example) that, once issued, can be used indefinitely. After expiration, must ask the renewal (there are no costs to this, such as in the first issuance).
It is possible, however, to revoke (cancel) the certificates before the validity end date at any time. Just that the request is forwarded to the CA responsible. This request must be made, for example, when there is a suspicion of fraud with the use of the certificate.
It is not possible to make signatures with a expired or revoked certificate, obviously, but the signatures carried out within a maximum period still apply, and may be conferred at any time.
e-CPF and e-CNPJ
Speaking of digital certification in Brazil often refers to two major initiatives: the e-CPF and e-CNPJ. The first it is, essentially, a digital certificate is directed at persons the physical, being a kind of extension of the CPF (Registration of the Physical Person).
The e-CNPJ is a digital certificate that is intended to companies and institutions, in the same way, being a type of extension of the CNPJ (National Register of Legal Person).
When you purchase an e-CPF, a person has access to the Internet and the various services of the irs, many of which even then only available in service stations of the institution. You can, for example, transmit income tax returns in a safer manner, see details of these statements, search fiscal situation, to correct errors of payments, etc.
In the case of the e-CNPJ, the benefits are similar, with the certificates can also be useful to validate transactions between legal persons.
The e-CPF and e-CNPJ are available in the types A1 and A3. The images below, obtained from the irs web site, show models smart cards (type A3) for these certificates:
It is important to note that the e-CPF and e-CNPJ no are free of charge. Your acquisition should be made in the partner entity to the irs, such as Certisign and Serasa. The prices are not standardized, ranging according to the institution provider and the type of certificate (A1 or A3).
NF-e
The Electronic invoice (NF-e) is a type of document tax in digital format that serves to register the transfer of ownership of a good or service commercial provided to companies and individuals. Makes it easy to understanding if we interpret the NF-and as a version electronic and traditional invoice (on paper), as the the name itself points.
Since 2007, the Electronic invoice is part of the so-called The Public Digital Bookkeeping system (SPED), and, indeed, it is mandatory to use in Brazil. By account furthermore, the NF-e is valid and the tax legal. This validity is guaranteed by the digital signature, which means that this type of document also makes use of the certification digital.
In conjunction with the NF-and there usually is the invoice of the Consumer Eletrônica (NFC-e), a type of document also issued and stored electronically designed to document the operation commercial associate. The NFC-and replaces documents such as the tax coupon issued in box in the stores.
As well as the e-CPF and e-CNPJ, the digital certificates themselves for NF-e must be purchased in authorized entities, such as Certisign and Serasa.
Attribute certificate
A concept quite associated with the certification digital is what is known as an Attribute Certificate. This type of feature is based on digital certificates that adhere to a technical standard known as X. 509.
The attribute certificate meets the purposes of authorization. A company can use them to allow certain staff to access systems or sensitive documents, for example. For many, the certificates digital these employees shall receive a field or a collection of information — the attribute itself — that have qualified for this form of access.
When the user no longer has this attribute, the access it is then repealed. This can happen if the employee is fired or transferred to another sector, just to exemplify. Note, however, that the loss of the attribute does not, necessarily, the digital certificate that user be canceled. This is one of the main advantages of the certificates of attributes.
In Brazil, the certificates of the attributes that are compatible with the the structure of ICP-Brasil shall be issued by an Issuing Entity of Attribute certificate (EEA).
Ending
Before the end of this text, a note: you saw here that it is thanks to the ICP-Brazil certifications digital in the country are widely accepted and used, especially from the legal point of view. However, it is valid to stress that any institution you can create your own ICP, independent of their size.
For example, if a company created a policy of use of digital certificates only to the exchange of information between the headquarters and its subsidiaries, does not you need to request such certificates from a CA controlled by the ICP-Brazil. The company itself, you can create your ICP and do, by example, a department of the branch offices act as AC or AIR, prompting or by issuing certificates to the employees.
If you want to know more details about digital certification in Brazil, please visit the website of the ITI. In the address it is possible to access documents about legislation, procedures, resolutions, etc., as well as get news and guidance on the subject.
