Add an electronic signature of requests and documents to the CRM interface

HG Wells very simply explained what the telegraph is:

- Imagine a giant cat, whose tail is in London, and the head is in Liverpool. If a cat steps on its tail in Liverpool, it will meow in London.

- And what is a wireless telegraph?

- It's the same, only without the cat.

An article about how to implement EDS in CRM and about different options for solving this problem.



The co-authors of the article are Denis Gurikov and Nikita Kalinin, I say thank you to them for the materials.



What for?



Sometimes documents need to be signed and sent, but the manager is not present. It is quite possible to forget later or to violate the terms. The documents accumulate in whole mountains. The manager sits and spends a lot of time signing papers.



And in general, “paper” in the 21st century is a non-ecological anachronism. Better without them at all. And you have to sign.



What is the essence of an electronic signature? As in the “offline world”, when a person agrees, he signs it. Only paper and signature do not physically exist.



Why do I need a signature? Briefly - for document authentication (confirmation). That is, to make sure that the signatory agreed with the provisions of this particular version of the document.



Why an electronic signature in CRM systems and intranet portals?



There are 2 scenarios for using a digital signature in CRM:



  1. For internal communication and trust at the push of a button. Often in the interface of CRM systems and intranet portals, internal documents, as well as discounts, contracts and dealer agreements are coordinated.
  2. To send formal responses to clients and government agencies.


Different scenarios, different requirements. In the first case, they sign:



  • Vacation application
  • Applications for payments of various kinds
  • Other inquiries (for appliances, furniture, etc.)
  • Contracts, agreements, invoices for payment.


The second case is more serious - you cannot do without a qualified electronic signature.



Technique: What is EDS and its types



image



There are three types of electronic signatures:



  1. Simple electronic digital signature (PEP)
  2. Enhanced Unqualified Digital Signature (NEP)
  3. Enhanced Qualified Digital Signature (CEP)


Unlike a simple signature, an enhanced signature protects its author from document modification after the signature is generated.



To form any digital signature on a document, you need three things:



  1. The document itself
  2. Public key
  3. The secret key


Simple digital signature



Briefly about the work of the probe:



  1. The system takes document metadata (document date, document number, title, signer's password, etc.) and hashes it. The digital signature is ready. The password is stored and generated by your system.
  2. Send the file
  3. We get
  4. Using the password, we decrypt the signature. We compare the received metadata and login. If everything is correct - success.


An excellent example is the use of a login and password to enter your social network, for example, Vkontakte. To confirm your identity (sign a document), you need to enter your username and password (hash metadata).



image



The system checks for the presence of a user. If there is one in the system, then password verification begins. If the password that you entered matches the one in the system - congratulations, you have entered your VK page (compared the metadata after decryption).



Of the shortcomings - the same disease. If your password was somehow stolen, then they can go to the page and do whatever their heart desires on it. Change personal information, photo, etc. The same is with the document.



Enhanced digital signature



An enhanced digital signature protects against document modification. That is, if, after signing, changes are made to the document, then the enhanced signature automatically becomes invalid.



image



To generate signatures, certificates are used (like SSL, based on the same technology). And the certificate has a limited validity period.



An enhanced signature can be unqualified and qualified. The difference is who issued the certificate. If the certificate is issued by a certification center accredited by the Ministry of Telecom and Mass Communications, which has an additional FSB certificate, then such a signature is called qualified.



If a self-signed certificate is used or issued by a non-accredited CA (Certification Center), then such a signature is unqualified.



How enhanced signature works



Consider an example of a simple signature algorithm. The result of this algorithm does not depend on the text of the document. If you feed this text to the input of a hash function, you get something that looks like a strengthened signature. That is, as a result of changing the text of the document, the old signature “will not fit” the new version of the document.



In reality, an enhanced signature is a hash of a document, encrypted with the secret key of the certificate.



All participants in the workflow have the public key. It is used to verify the authenticity of the signature. Private - stored by the user and used to generate a signature.



What an enhanced signature looks like



Technically, a signature is a separate file (remember, in the case of a simple signature, it was a string?). That is, in order to transfer the signed document to the other party, you need to transfer the source and the signature file. However, some document formats allow digital signatures to be embedded.



image



For example, PDF and almost all Microsoft Office formats support this. And the software packages themselves have the function of creating and verifying such signatures. Thus, for technically unskilled users, the signing process looks like clicking a few buttons in Word, Excel or Adobe Reader.



Unqualified digital signature (NEP)



Such a signature has legal force (from the point of view of the court) if the parties have entered into an appropriate agreement. Such an agreement cannot be concluded with the state. structures.



Users receive a certificate with a public and private key in the form and in a way that the parties trust. For example, in the form of a file sent by email.



Any software that the parties trust can be used to create a signature. Whether OpenSSL utilities, CryptoARM, or built-in Microsoft Office or Adobe Reader.



Qualified Digital Signature (CEP)



Such a signature has legal force and is recognized by the state. For example, you can send documents to the tax office. There is no need to conclude any additional agreements with the participants in the workflow - everyone trusts such signatures "by default".



image



The secret key for such a signature is transferred to the user on a protected medium certified by the FSB - a USB token ("flash drive"), a smart card, etc.



Special software is used to work with the medium. Most often, this software integrates with the OS so that Microsoft Office, Adobe Reader and other software packages can use the media when creating signatures.



That is, the process of signing documents is almost not complicated for users (you just need to remember to connect a USB flash drive).



Using such a signature, you can interact with government systems, participate in auctions, work with customers and partners.



Approval of internal documents



Vacation applications, memos, reports, business trips, etc. - There are enough paper documents in companies. Usually, the procedure for issuing such a document resembles a quest. It is necessary to find a form, fill it out, personally hand it over to the approver, etc.



image



If you are all in the same office, then this is a matter of half an hour. And if the production is in one place, and the HR department in another? Everything drags on for several days. The way out is the introduction of document management systems. We even have a separate document management module.



One drawback is that employees sometimes do not take "electronic documents" seriously enough. The introduction of an electronic signature can fix this. An unqualified electronic signature is just a good fit.



According to the use case, two possibilities can be distinguished:



  1. Sign the document by uploading it in a special form on a separate CRM page
  2. Automatic document approval as it goes through a business process


External document flow



For external document flow, you need to use a qualified electronic signature. Then the documents will have full legal force. You will be able to exchange them with clients, partners and government agencies.



From the point of view of interfaces, everything looks like an internal workflow - a separate form for approval or automatic confirmation as part of a business process.



An important point - you need to pay more attention to security. Since we are talking about documents that have full legal force. Security is ensured by access restrictions, logging and separate notifications.



A simple example of using a signature in CRM is to sign an agreement in a deal. Once signed, you can send it to the client. There is no need to send documents by mail, wait several days, or even weeks (if the client is in another city), and then wait the same amount of time for a return. The document is approved by an electronic signature and is considered legally significant.



The main technical question remains - how to include the digital signature in the logic of the CRM or internal portal?



Solution architecture



There are several ways to work with EDS. Let's take a look at them.



One key - many stations



Suppose you need to sign a document and send it to the server. The server must check the document and send a response in the form of the same signed document.



image



Both there and there must be verification of the authenticity of the signature. Suppose you have only one signature key, but there are many employees and everyone needs to sign and send something. And all this should happen directly in the CRM.



How it works:



  1. We make a separate server for EDS with a connected key for EDS, which will receive XML requests
  2. , N . (TOTP). QR-, , . , USB-.
  3. , .
  4. , , XML- PDF- .
  5. PDF- CRM.


In this case, we have the opportunity to work from home (if we have a smartphone, which even grandmothers now have). We do not need to issue our own EDS for each employee, one is enough.



This solution assumes that you fully trust the employees who have gained access to the interface. Even beginners can start signing documents without any approvals.



This is a bad decision if signing the document has legal consequences. This can only be done when integrating with the Credit History Bureau or other services that provide answers to requests signed by an EDS.



Number of keys = number of stations



Suppose we have each employee who has the right to sign documents has a key for an EDS.



How it works:



  1. We are developing an application for workstations that will work with a crypto provider (the most popular is cryptoPRO)
  2. An employee forms and signs a request at his workstation
  3. The request is sent to the server.
  4. The received response is converted to a PDF file or any other
  5. The PDF is uploaded to CRM


In this case, we have increased security, because only trusted employees can sign documents, and we know who exactly signed a specific request.



image



Application example in a real project for CEDIS (Power System of Montenegro)



Business challenge: employees must sign documents and send them to customers.



image



What resources?

One server, one EDS key, CRM.



What should be done?

Add a PDF document to a transaction, sign it directly from the transaction card using an EDS. The signed document can be downloaded and sent to the client.



How it was implemented

A special application was developed, which was placed on a separate server and was engaged in signing documents.



An additional field was created in the system, into which the PDF document was loaded. When the document was loaded, the “Sign” button appeared opposite it. Pressing the button opened the application interface.



image



In order to sign a document, the user had to enter a one-time code that came to him on his smartphone and select the certificate with which the document is signed.



image



The document is sent to the server. A one-time password has been entered and a certificate has been selected. The document was signed and sent back. At this moment, the document loaded into the deal is replaced with a signed document on the server.



image



conclusions



The introduction of document signatures in CRM systems (and indeed anywhere) is an interesting technical task at the intersection of development, information security and process optimization.



This task can be solved by the method described by us. An interesting opinion about other solutions to this problem.



All Articles