What is Digital Signature & How to Create it?

IBRM has recently implemented e-invoicing in Malaysia, requiring every e-invoice to be authenticated by the digital signature of the authorized signatory of the business. 

While e-invoicing is a new concept, digital signatures have been used since the 1990s, predominantly within corporate and legal settings. They hold the same validity as a physical signature or thumbprint.

This blog aims to provide comprehensive insights into digital signatures in Malaysia, covering various aspects such as their functionality, applications, legal validity, creation process, necessary documentation, limitations, and more.

Part A: General Information

What is a digital signature?

A digital signature is a cryptographic technique to validate the authenticity, integrity, and non-repudiation of digital documents or electronic messages. It serves as the electronic equivalent of a handwritten signature on paper documents, providing assurance of the identity of the signer and ensuring that the document has not been altered since it was signed.

How Does Digital Signature Work?

A digital signature works through a process called asymmetric cryptography, also known as public-key cryptography. Here's how it typically works:

1. Key Generation: Users create a pair of cryptographic keys - public and private keys.
2. Signing the Document:

• The signer creates a unique hash of the document using a mathematical algorithm.
• The hash is encrypted with the signer's private key to create the digital signature.

3. Verification:

• Recipients decrypt the digital signature using the signer's public key to obtain the hash.
• They generate a new hash of the document and compare it with the decrypted hash to verify authenticity.

4. Certificate Authority (CA):

• Trusted third-party CAs verify signer identity and issue digital certificates containing public keys.

5. Non-repudiation:

• Digital signatures ensure non-repudiation, meaning signers cannot deny signing the document which is done through private key.

E-Signature vs Digital Signature

Electronic Signature (e-signature): An e-signature is a broad term that encompasses any electronic indication of a person's intent to agree to the content of a document or transaction. This can include scanned signatures, a typed name, clicking an "I agree" button or even a biometric signature captured on a touchscreen device.

Digital Signature: A digital signature, on the other hand, is a specific type of electronic signature that utilizes cryptographic techniques to ensure the authenticity and integrity of the signed document. It involves using a digital certificate issued by a trusted Certificate Authority (CA) and employing public-key cryptography to sign and verify documents.

Here are the major differences between E-signature and Digital Signature

Role of Certificate Authorities (CAs) in Digital Signatures

Certificate Authorities (CAs) are critical in ensuring the authenticity and security of digital signatures. Their role includes:

• Issuance of Digital Certificates: CAs provide digital certificates, linking an individual or entity's identity to a public key, crucial for verifying digital signatures.
• Verification of Identity: CAs thoroughly verify the identity of applicants before issuing certificates to prevent fraud.
• Binding Public Keys to Identities: Upon verification, CAs issue digital certificates containing the applicant's public key, signed by the CA to affirm its legitimacy.
• Distribution of Certificates: CAs maintain repositories for public access, allowing users to verify the validity of certificates and maintain trust in digital transactions.
• Validation of Digital Signatures: Recipients use the CA’s public key to validate digital certificates and signatures, confirming their genuineness and the document's integrity.
• Trust Chain Verification: CAs establish a trust chain by ensuring each certificate in the sequence is validated by the preceding one, guaranteeing that all certificates come from trusted CAs, thus bolstering the security and trustworthiness of digital signatures.

Part B: Digital Signature in Malaysia

Applicability of Digital Signature in Malaysia

Digital signatures are widely utilized across Malaysia, regulated by the Digital Signature Act 1997 (DSA 1997) since October 1, 1998. This legislation ensures the security and legality of electronic transactions, requiring validation through certificates issued by licensed Certification Authorities (CAs). The Malaysian 

The Communications and Multimedia Commission (MCMC) oversees and enforces the DSA 1997, enhancing the trustworthiness of digital signatures for various sectors.

Here are some most common use cases of Digital Signatures in Malaysia

• Compliance: Used for filing reports, tax returns and generating e-invoices in Malaysia.
• Government services: Used for procurement, licensing, and regulatory compliance.
• Financial Services: Authenticate online transactions and mitigate fraud.
• Legal and Commercial Contracts: Expedite contract execution and reduce paperwork.
• Education: Issue academic transcripts and certifications securely.
• Cross-Border Trade: Facilitate electronic documentation for international trade.

Non-Applicability of Digital Signature

Not all types of legal documents or contracts can be signed with a digital signature. These include:

• Power of Attorney documents as per section 2(2) of the Electronic Commerce Act (ECA).
• Wills, codicils, and trusts as per section 2(2) of the ECA.
• Negotiable instruments, bills of exchange, and promissory notes as per section 2(2) of the ECA.
• Any instrument dealing with properties under the Malaysian National Land Code.
• Statutory Declarations under the Statutory Declarations Act 1960.

Who needs a Digital Signature in Malaysia?

1. Businesses: Managers, owners, directors, partners, and authorized signatories of corporations rely on digital signatures for generating e-invoices, signing contracts and agreements, board meeting minutes, filing tenders, secretarial compliances, financial documents, and more.
2. Government officials: Federal and state-level government agents use digital signatures for authenticating official documents.
3. Legal and Financial Professionals: Lawyers, accountants, and financial advisors utilize digital signatures for signing legal contracts, financial statements, and client agreements securely.
4. Healthcare Providers: Hospitals and clinics use digital signatures for signing electronic health records, medical prescriptions, and consent forms.
5. Educational Institutions: Key managerial personnel of universities and colleges use digital signatures for administrative tasks like signing enrolment forms, academic transcripts, and certificates.
6. Individuals: People use digital signatures for personal transactions, signing contracts, agreements, or documents electronically.

Different Classes of Digital Signature

Digital signature certificates are categorized into different classes based on the level of trust and assurance they provide. In Malaysia, there are three main classes of digital certificates: Class 1, Class 2, and Class 3. Here's an overview of each class:

Part C: Obtaining a Digital Signature in Malaysia

How to Get a Digital Signature in Malaysia?

In Malaysia, Certification Authorities (CA) are responsible for verifying the identity of applicants and issuing digital certificates, ensuring the security and integrity of digital transactions. 

Here's a step-by-step guide on how to acquire a digital signature in Malaysia:

1. Choose the Right Certification Authority: Select a licensed Certification Authority (CA) recognized by the Malaysian Communications and Multimedia Commission (MCMC). 
2. Complete the Application Form: Fill out an application form provided by the chosen CA. This form requires basic personal information, company details, and details about the intended use of the digital signature.
3. Submit the Necessary Documents: These documents may include proof of identity, such as a copy of your identification card or passport, as well as any additional documentation specified by the CA.
4. Pay Applicable Fees: Digital signature services involve certain fees, which vary depending on the type of digital certificate required. Class 1, Class 2, and Class 3 certificates have different levels of security and functionality.
5. Undergo Identity Verification: Before issuing the digital certificate, the CA will verify your identity to ensure that the information provided in the application is accurate. 
6. Receive and Use: The CA will issue your digital certificate once your identity has been verified. You can then use this digital signature to sign electronic documents securely and legally in accordance with Malaysian laws and regulations.

How Digital Signature Works for e-Invoicing in Malaysia?

In Malaysia, the process of using digital signatures for e-invoicing is designed to ensure the integrity and security.

Here’s a step-by-step overview of how digital signatures works in the e-invoicing process:

1. Generating e-Invoices: Businesses generate e-invoices in a structured digital format, either XML or JSON. 
2. Hash Calculation: Once the e-invoice is generated, the hash value of the document is calculated using a secure hashing algorithm like SHA-256. This hash value is unique to the content of the e-invoice and any change in the 
3. Digital Signature: The hash of the e-invoice is then digitally signed using the signer's private key, which is part of the digital certificate issued by a trusted CA. This process creates a digital signature that is unique to both the document and the signer.
4. Invoice Submission: The digitally signed e-invoice, including the signature value, is embedded within the XML or JSON document. The complete e-invoice is then submitted to the Inland Revenue Board of Malaysia (IRBM) through their designated APIs.
5. Validation by IRBM/LHDNM: Upon receiving the e-invoice, the IRBM decrypts the signature using the signer's public key. They then calculate the hash of the e-invoice and compare it with the decrypted hash. If the hashes match, the invoice is considered valid; otherwise, it is deemed invalid.

IRBM Guidelines for Creating Digital Signatures in Malaysia

Below are the requirements and additional considerations for creating digital signatures for e-invoicing as outlined in Software Development Kit version 1.0:

• Digital Signature Algorithm: The XAdES (XML Advanced Electronic Signature) algorithm must be used. A timestamp needs to be added to the signed properties to ensure the signature's validity, even if the signer’s certificate is later revoked.
• Hashing Algorithm: The SHA 256 algorithm is required for hashing.
• Signature Algorithm: RSA is the required signature algorithm.
• UBL 2.1 XML Standard: This standard inherently includes the necessary digital signature requirements as outlined in the UBL Digital Signature Profiles 1.0.
• Enveloped Digital Signature Profile: The signature is applied to the XML content, which includes the <ds:Signature> element. It's crucial that the <ds:Signature> element and its sub-elements are not included in the digest and signature value calculations, following the specified algorithm.
• UBL 2.1 JSON Alternative Representation Version 2.0: This version doesn’t specify the use of digital signatures in JSON documents. However, this is supported through a foreign extension, which is a transliteration of the UBL extension for digital signatures.
• Multiple Signatures Support: Although UBL 2.1 allows for multiple signatures in a document, the current requirement is to include only a single signature element, the specifics of which will be detailed later.

Documents Required to Apply for Digital Signature

1. Identity Proof: Copy of MyKad (for individuals) or company registration documents (for businesses).
2. Business Registration Documents: Certificate of incorporation, registered partneship deed etc
3. Address Proof: Utility bill, bank statement, or rental agreement.
4. Authorization Documentation: Letter of authorization for company representatives.
5. Additional Information: Depending on CA's requirements and certificate purpose.

Benefits of Using Digital Signature

Digital signatures are much better and have a large scope of applications than other forms of electronic signatures. Here are the major advantages of Digital Signature

1. Integrity: Digital signatures ensure documents remain unchanged after signing, reducing tampering risks.
2. Authentication: Only licensed Certification Authorities issue digital certificates, verifying the signer's identity and minimizing impersonation risks.
3. Nonrepudiation: Signers cannot deny their signature, providing evidence of document origin and identity.
4. Time-Stamped: Documents are time-stamped, aiding in traceability and establishing when they were signed.
5. Legally Binding: Digital signatures carry the same legal weight as handwritten ones, offering enhanced evidential value.
6. Convenience: Digital signing simplifies processes, allowing signing from anywhere with an internet connection, boosting efficiency and reducing paperwork hassles.

Limitations of digital signatures

Although digital signatures are a great tool for security and authentication. But like any other technology, they too have their limitations:

• Dependency: A secure digital signature relies on the careful management of cryptographic keys. If they are lost, compromised, or mishandled, it can lead to security breaches.
• Limited use: They often require an internet connection for verification which limits their use in remote or offline environments.
• Complexity: A few recipients may find it challenging to verify digital signatures due to unfamiliarity with this technology, leading to potential delays in processing documents.
• Compatibility: Digital signature formats may not be universally compatible across all platforms and software and also may not have legal recognition.

Conclusion

As Malaysia's digital economy continues to advance, the adoption of digital signatures is crucial for businesses, facilitating secure and seamless filing, compliance and legal documentation.

The recent e-invoicing mandate by IBRM has significantly expanded the scope and importance of digital signatures in Malaysia.