How do electronic signatures work ?
Electronic signature are much safer than paper signatures
Our CRF XML-Signature demo
Try it out yourself !
I am interested in this technology
At the beginning of 2002, the World Wide Web Consurtium (W3C)
has approved and published the
specification for electronic signatures in XML documents. This means that not only
any file can be signed and the signature stored in an XML file, but also that elements within an XML file can
be signed and the signature stored within the XML document.
This opens the possibility to electronically sign e.g. CRF's stored in any format, but especially in XML format, and to add the signature to the CRF XML file itself. If then later, one or more characters in the CRF file change, the signature immediately becomes invalid automatically.
Tools to create, check and validate these electronic signatures have recently become available from the Apache organization and from Gapxse (Java language), the W3C (Python language), from T.J. Mather (for Perl), from M.I.T. (for the C-language). Toolkits are available from Baltimore, from Entrust, IBM, Infomosaic, NEC, Phaos, RSA Security, UbiSecure, Verisign (.NET), and Wedgetail.We recently constructed a demo, based on the Apache implementation, for signing XML-based CRF's. This demo is usually given as part of our presentations for the CDISC organization.
The XML-Signature as developed by the W3C is based on the public key - private key system (asymmetric keys).
A user has a private key which he/she keeps secret, and a public key which is distributed to the user's relations. The user signs a document with the private key (additionally an electronic certificate can be used to ensure the user's idendity). The receiver of the document then checks the validity of the signature. If a certificate is present, the receiver can ask a "Certification Authority" whether the certificate that was providid really belongs to the person who claims to have signed the document.
In paper life, signatures can easily be copied. In electronic signing, this is not possible. The reason is that the signature is a combination of the result of the private key, and of the content of the signed document. So, even though the electronic signature is nothing more than a set of (human-readable characters), it is never the same for two different signed documents, even if both documents were signed by the same person. This makes electronic signatures even more safe than hand-written signatures.
In our demo application (screenshot here), the signature is a so-called "enveloped signature".
This means that the signature is positioned within the XML element of which the remaining contents are signed.
A CRF (clinical Case Report Form) is taken, (here are the contents), the contents signed using username and password to retrieve the private key from the database, and the result written out, replacing the unsigned file (here is the result). The demo application also contains a validation tool, which validates the signature of a CRF which has been signed. If one or more characters in the CRF has been changed, the validation tool detects this, and gives a message that the signature is invalid.
Fig.1: screenshot of a signed CRF. The electronic signature is given with a yellow background (incomplete, the full file can be seen here. Not all the data of the CRF are visible, as the data tree is not fully expanded here.
People who know CDISC ODM, the worldwide standard for clinical data exchange and archival,
have already noticed that this CRF is just a subelement of the ClinicalData section of the ODM, the Operational Data Model.
Using the ODM, eCRF's can easily be designed, and web-based tools can be developed for adding the data to the CRF.
Fig2.: a web-based eCRF (Java applet). Required attributes (which MUST be filled) are flagged. Where attributes can only have specific values, a choice box is presented.
You can try out this technology yourself on our demo application server. You can submit XML files for signing, but also submit signed XML files for signature verification.
XML-Signature is currently being replaced by its extension XAdES (XML Advanced Electronic Signatures ).
One of the problems (among others) with XML-Signature was that when the certificate of the signer had expired, the whole signature became invalid.
This is not automatically the case anymore with XAdES. Also, XAdES obeys the European directives for electronic signatures, which XML-Signatire did not.
As XAdES-XML is essentially an extension to XML-Signature-XML, it is also supported automatically by CDISC ODM.
XML4Pharma can make this technology available in your applications. Examples are electronically signing of eCRFs, of CDISC ODM and Lab files,
or any other XML files for which you require authentication, or integrity assurance.
We can provide you as well as with server technology as with standalone applications, based on your requirements.