California, certificate authority, digital certificates, Digital Signatures, FIPS, Florida, non-repudiation, pedigree, PKI

Digital Signatures

Digital signatures are commonly mis-understood, but they play an important role in securing the pharmaceutical supply chain. The Florida pedigree regulations allow the use of digital signatures on electronic pedigrees so that they can be “self-authenticated”. That is, so the pedigree can be authenticated on receipt without employing methods that require some kind of communication with each upstream owner of the drug—like phone calls, faxes, emails, etc.

Digital signatures employed in pedigrees can self-authenticate without any kind of communication. This can be a huge timesaver because it can fully automate the detection of improper supply chain behavior. Large volumes of “clean” pedigrees can be processed without human review or intervention with only those that have a problem being presented to a user for manual review and handling.

It’s not necessary to understand the technical details, but understanding some of the non-technical characteristics of digital signature technology is important for those in the pharmaceutical supply chain. Florida encoded the use of FIPS (Federal Information Processing Standards) digital signature standards directly into their regulations. California seems poised to do something similar.

I want to explain digital signatures without getting too technical. That’s hard to do, but here’s a common misconception that is easy to dispel. The term “digital signature” does not mean something that looks like this:

This is a scanned image of a hand written signature (compliments of a spam/scam email I received this morning). You could call this a “digitized signature”, but it is far from a “digital signature”. The digitized signature may mean something to people when the image is displayed so they can see it, but it means nothing to a computer. Nothing more than a photograph. It’s just a bunch of bits.

A true digital signature is one that a computer can make sense out of. The “sense” it can make is to determine whether the signature is valid or not. For that to work, the digital signature has to be composed of data. Here is an example of a long-form demo digital signature in XML format like those found inside DPMS pedigrees. It includes the core signature as well as the signer’s public key for use in decoding the signature, and a certificate that is digitally signed by a certificate authority who is willing to attest to the signer’s identity.

It looks pretty technical, doesn’t it? It is, but don’t get bogged down in the details. The point is, with this type of data, a computer can verify that a known trusted authority (the certificate authority) is positively willing to attest to the identity of the signer and that the public key included is positively from the signer. The computer can then use the public key to verify that the information being signed (not visible in this example) has not been modified since the signer applied the digital signature. All of this can be determined without the computer needing to go elsewhere for additional information.

Probably the most important thing a digital signature provides is the quality of “non-repudiation”. That is, because the certificate authority has pre-identified the signer in a way that can include the review of legal records, and as long as the signer has kept their private key secret, the signer cannot later claim that they did not sign a set of digital information that bears their digital signature. They cannot disclaim it. The signer is tightly bound to the signed data.

That’s a lot more than your bank can tell from the handwritten signature on your checks. Digital signatures are better in almost all respects.

The FDA, other federal government agencies and most U.S. state governments have embraced the use of digital signatures in digital legal documents. In pedigrees, digital signatures provide strong evidence that the information signed can or cannot be trusted. That’s why they are an obvious choice by regulators who want to move beyond paper pedigrees.

In summary, digital signatures provide the following benefits when used in electronic documents:

  • Positive identification of the signer
  • Non-repudiation of the information that is signed
  • Positive confirmation that the signed information has, or has not been modified since being signed
  • Signature validation can be performed without needing to communicate with external entities

The use of digital signatures in DPMS pedigrees is the feature that turns, what would otherwise be just a blob of data, into a standalone legal document that can be easily validated without needing to acquire any other information. It’s what allows DPMS pedigrees to be used as evidence in court for prosecution of counterfeiters, diverters and thieves.

For a more technical description of digital signatures and the PKI (Public Key Infrastructure) technology behind it, start with the definition in Wikipedia.

Now that I have covered digital signatures in general I can move on to discuss their use in specific pedigree approaches. Stay tuned.