Elevating eSignatures to the Next Level: Understanding the Technology Behind Qualified Electronic Signatures (QES)

The adoption of eSignature worldwide is shaping the future of modern business workflows. Enterprises embrace eSignature for a host of reasons. It can be for process improvements, compliance, to increase productivity, or to save costs, but the most crucial reason eSignature is becoming popular is security.


Most eSignature vendors offer standard eSignature, which provides basic security measures. To overcome the shortcomings of Standard eSignatures and to meet the compliance requirements, Advanced Electronic Signatures (AES) and Qualified Electronic Signatures (QES) were introduced. AES and QES offer advanced security measures to ensure the authenticity and integrity of documents signed electronically.


Between AES and QES, QES is considered to be more secure. Under the eIDAS Regulation, QES is regarded as a legal alternative to “wet” or paper-based signatures in the European Union. Why is QES a more secure alternative to AES, and How do they work?


In this blog, we’ll answer this question and help you understand QES and the technology behind it.

Technology Behind Qualified Electronic Signatures

What are Qualified Electronic Signatures or QES?

A Qualified Electronic Signature is a type of electronic signature that provides a higher level of security and is considered equivalent to handwritten signatures. QES is created using a qualified certificate and a Qualified Signature Creation Device or QSCD. Like the AES, QES is also based on Public Key Infrastructure (PKI). It certificates to ensure authenticity and checks for any changes to the document to ensure integrity.


Choosing between AES and QES depends on the signature level you need to meet legal and regulatory compliance. For instance, under the eIDAS, QES is considered an equivalent of handwritten signatures all over the European Union. Therefore, QES may be a better alternative to Standard eSignatures to ensure high security and legal enforceability. While both AES and QES use certificates, why is using a signature creation device unique to QES? 

Role of Qualified Signature Creation Device or QSCD in QES

Both AES and QES use certificates for signing. Qualified Electronic Signatures or QES is an AES that uses a qualified certificate issued by a Qualified Trust Service Provider (QTSP). A Trust Service Provider (TSP) authenticates the identity of a signatory and gives a digital certificate. A TSP accredited by a national body becomes a Qualified Trust Service Provider (QTSP).


The use of electronic signature creation devices is unique to QES. A Qualified Signature Creation Device or QSCD can be a USB Key, Smart Card or Badge.

Here’s an overview of how they work:


1. Secure Key Generation and Storage: QSCDs typically generate a pair of cryptographic keys: a private key and a corresponding public key. The private key is securely stored within the QSCD’s hardware or software, making it extremely difficult for unauthorized parties to access or copy.


2. User Authentication: Before using a QSCD, the authorized user must authenticate themselves using a robust authentication method, such as a PIN code, biometric data (e.g., fingerprint), or a smart card. Authentication ensures that only the authorized person can use the QSCD to create electronic signatures.


3. Signing Process: The QSCD takes the calculated document hash and signs documents the signer’s private key. This process generates a digital signature. The digital signature is unique to the document and the private key, ensuring the document’s integrity and the signer’s identity.


4. Binding Signature to Document: The digital signature, along with the document hash, is attached to the electronic document, creating a signed electronic record, and this ensures that any subsequent changes to the document will invalidate the signature.


5. Qualified Certificate: QSCDs often require a qualified digital certificate from a QTSP. The qualified certificate links the public key of the QSCD to the signer’s identity, providing proof of the signer’s identity.


6. Verification: To verify the validity of a qualified electronic signature, the recipient or a third party can use the signer’s public key to verify the digital signature. The recipient can also verify the signer’s identity with the qualified certificate. 

Benefits of using a Qualified Signature Creation Device or QSCD

Ensuring the security and authenticity of these digital signatures is of paramount importance. Qualified electronic signatures, backed by Qualified Secure Signature Creation Devices (QSCDs), offer a robust solution to address these concerns. Here are a few benefits of using QSCD:


1. Secure Storage of Private Keys: QSCDs securely store private keys in a tamper-proof and tamper evident environment. These devices are designed with hardware-based security mechanisms that safeguard the keys from unauthorized access and potential breaches.


2. Tamper-Proof and Tamper-Evident Features: QSCDs are equipped with tamper-proof and tamper-evident features that detect unauthorized attempts to access or modify private keys. This property ensures that the private keys remain intact and secure throughout their lifecycle.


3. Identity Verification: QSCDs verify the identity of the signer rigorously. This authentication process ensures that only authorized individuals can use the device to generate digital signatures, adding an extra layer of security to the signing process.


4. Use of PINs and Authentication Methods: QSCDs often require the use of Personal Identification Numbers (PINs) or other robust authentication methods to access and use the device. This adds a layer of protection, making it more challenging for unauthorized individuals to misuse the device.


5. Contributing to Legal Admissibility: QSCDs contribute to the legal admissibility of digital signatures by providing a secure and trusted means of creating these signatures. Courts and regulatory bodies often recognize QSCDs as reliable tools for verifying the authenticity and integrity of signed documents. 


When evaluating an eSignature solution, choose the one which offers flexibility in terms of level of eSignature, security, compliance, and pricing. QES are equivalent to wet ink signatures, but the technology behind qualified electronic signatures is sophisticated due to the use of hardware devices for signature creation. The higher level of security that QES offers comes with legal and regulatory compliance requirements.


Certinal eSignature offers three levels of eSignatures as eIDAS requires: standard, advanced and qualified. For Certinal QES users, the signer is handed a “token” or QSCD that allows the certifying authority to validate their identity before signing their documents after entering a personal PIN.


Informed decision-making is vital at the evaluation stage. Click here to read the analyst brief by Holly Muscolino, Group Vice President, Content Strategies, and the Future of Work at IDC, which covers the benefits, challenges, stakeholders, and considerations when evaluating eSignature solutions.


Request a demo to witness how Certinal Qualified eSignature can help your signing process be compliant and secure.

author avatar
Lokjith is a marketing content writer, and he writes about eSignature technology to raise awareness and help enterprises make informed decisions. Before discovering the SaaS industry, he organized Offline Marketing campaigns campaigns. He has a master’s degree from the Institute of Management Technology, specializing in Marketing.
Table of Contents


Related Resources

Recommended Resources

Certinal - IDC

Slash your Enterprise eSign & Web Form Costs by 50%!

Certinal's Enterprise-Grade Security & Compliance