ApproveIt holds key to signer security

ApproveIt holds key to signer security

ApproveIt's digital signatures

By John Breeden II

GCN Staff

Most users think of a digital signature as an electronic image of handwriting, but Silanis Technology Inc.'s ApproveIt goes far beyond that.

An ApproveIt signature is merely the visual representation of a hidden public-key infrastructure designed to prevent document tampering.

Silanis markets ApproveIt for Microsoft Office as a fast way to route Word and Excel documents through the approval chain. How it works is complicated, but once you know the basics it's fairly easy.

Sign in, please

Each user contributes a physical signature image to the program via scanner or computer pen. Users need to sign only once.

The program correlates each physical signature image with a large set of randomly generated numbers that contain both public and private keys.

The public key lets other users view the signature, whereas the signer alone uses the private key to embed the stored signature into documents. The signer is identified by both public and private keys.

Approvals of Word or Excel documents take only a few clicks as they move up the chain of command by e-mail. Embedded in each document is a block of information that shows exactly how the document appeared at signing.

Box Score''''
ApproveIt for Office

Public-key security utility

Silanis Technology Inc.; Dorval, Quebec; tel. 888-745-2647
Price: $149 per user for desktop version

+Secure document sending

+Any changes invalidate existing approval signatures

'Installation conflicts with antivirus software

'All users in chain must have software

Real-life requirements:

Microsoft Excel or Word; Windows 3.x, 9x or NT; 8M of RAM; 4M of free storage

If the document changes, even by a character, all the previous signatures are invalidated. No one can add a word or clause without forfeiting all the previous approvals.

I tried to steal a signature off an approved document and store it separately, reasoning that a dishonest employee might try that method to circumvent supervisory approvals. But I had only the signature's public key authorizing me to view it, not the private key, so the signature immediately became invalid.

Because the signature is simply a visual representation of complex code, ApproveIt technically could run without signatures as long as users assigned random words for the PKI to use.

Can't fool me

The system resists spoofing. You cannot duplicate someone's signature because the private key of the duplicated signature would not match that of the authorized user.

Also, all the information about the document is encrypted, so it is practically impossible to change.

In practice, I found ApproveIt very secure. I could not trick it into letting me change a document or user information without invalidating the signatures. Unless a hacker had lots of supercomputer time, breaking the encryption around the digital signature would be virtually impossible.

Antivirus hiccups

I did encounter some problems installing the software on desktop systems that had antivirus programs running. The company recommends disabling virus protection while ApproveIt is being installed.

ApproveIt is an all-or-nothing proposition. You must either adopt it for everyone in the chain of command or not at all. It cannot deliver its protection if even one user in the chain lacks the software'a disadvantage when occasional approvals are needed from people outside the office.

The package also comes in versions for FormFlow from JetForm Inc. of Natick, Mass., and for Adobe Portable Document Format.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.