Redefining Digital Web Signature Secrecy: A Client-Side Model for Enhanced Security and Compliance

Wellington Fernandes Silvano; Lucas Mayr; Enzo Brum; Gabriel Cabral; Frederico Schardong; Ricardo Custódio

doi:10.5753/jbcs.2026.5556

Authors

Wellington Fernandes Silvano Federal University of Santa Catarina https://orcid.org/0000-0002-7424-9007
Lucas Mayr Federal University of Santa Catarina https://orcid.org/0009-0006-8066-8917
Enzo Brum Federal University of Santa Catarina https://orcid.org/0009-0002-5989-1883
Gabriel Cabral Federal University of Santa Catarina https://orcid.org/0009-0007-8004-6461
Frederico Schardong Federal Institute of Rio Grande do Sul https://orcid.org/0000-0003-4492-163X
Ricardo Custódio Federal University of Santa Catarina https://orcid.org/0000-0001-9611-5694

DOI:

https://doi.org/10.5753/jbcs.2026.5556

Keywords:

Digital signature, secrecy, Web signature, client-side signature

Abstract

Web-based digital signature platforms prioritize convenience but often compromise secrecy, exposing sensitive documents and private keys to third-party systems. This paper introduces a client-side cryptographic model that eliminates such vulnerabilities by performing all cryptographic operations within the user's browser. Leveraging One-Time Certificates and adhering to Claude Shannon's secrecy principles, the model ensures that documents and keys remain secure by never leaving the client environment. The proposed approach addresses critical risks, including document exposure, metadata leakage, and key compromise, while maintaining compatibility with public key infrastructure standards and legacy systems. Performance evaluations show efficient signing and verification processes, with documents up to 5 MB signed in approximately 1 second and verified in 0.15 seconds. By removing reliance on external servers for sensitive operations, the model mitigates platform vulnerabilities, reduces liability, and ensures compliance with regulations like GDPR and LGPD. Key contributions include enhanced secrecy, simplified key management, and scalable real-world use-case performance. This work redefines digital signature security, offering a robust, privacy-preserving alternative for secrecy document signature and verification workflows.

Downloads

Download data is not yet available.

References

Aciobăniei, I., Arseni, S.-C., Bureacă, E., and Togan, M. (2024). A comprehensive and privacy-aware approach for remote qualified electronic signatures. Electronics, 13(4). DOI: 10.3390/electronics13040757.

Adobe Inc. (2024). Adobe acrobat. Available at:[link]. Accessed: 2024-08-19.

Ascertia (2018). Signinghub: Architecture and Deployment Guide. Available at:[link]. Accessed: 2024-06-08.

Barker, E. and Barker, W. (2018). Recommendation for key management. Part 2: Best Practices for Key Management Organization. Avaialble at:[link].

Bit4id (2021). Signcloud. Remote digital signature and key management. Available at:[link]. Accessed: 2024-06-08.

Boeyen, S., Santesson, S., Polk, T., Housley, R., Farrell, S., and Cooper, D. (2008). Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. (5280):151. DOI: 10.17487/RFC5280.

Boneh, D. and Franklin, M. (2001). Identity-based encryption from the weil pairing. In Annual international cryptology conference, pages 213-229. Springer. DOI: 10.1007/3-540-44647-8_13.

Brasil (2018). Lei Geral de Proteção de Dados Pessoais (General Data Protection Law. Lei n° 13.709, de 14 de agosto de 2018. Available at:[link].

Brazil (1996). Lei de Propriedade Industrial (Industrial Property Law). Lei n 9.279, de 14 de maio de 1996. Available at:[link].

Brazil (2011). Lei de Acesso à Informação (Freedom of Information Law). Lei n 12,527, de 18 de novembro de 2011. Available at:[link].

Brazil, Economy Ministry (2021). Portaria SEDGG/ME n 2.154, de 23 de fevereiro de 2021. Available at:[link]. Institui normas de gestão de integridade, riscos e controles internos no âmbito da Administração Pública Federal direta, autárquica e fundacional.

CFM (2010). Código de Ética Médica. Resolução CFM n 1.931/2009. Available at:[link].

Choi, S.-H., Yun, J., and Park, K.-W. (2017). Doc-trace: Tracing secret documents in cloud computing via steganographic marking. IEICE TRANSACTIONS on Information and Systems, 100(10):2373-2376. DOI: 10.1587/transinf.2016INL0002.

Colomb, Y., White, P., Islam, R., and Alsadoon, A. (2022). Applying zero trust architecture and probability-based authentication to preserve security and privacy of data in the cloud. In Emerging trends in cybersecurity applications, pages 137-169. Springer. DOI: 10.1007/978-3-031-09640-2_7.

Cryptomathic (2023). Signer. Freedom to digitally sign documents remotely. Available at:[link]. Accessed: 2024-06-11.

Digital Bazaar, I. (2010). Node-forge: A native implementation of TLS in JavaScript and Tools to Write Crypto-Based and Network-Heavy web apps. Available at:[link]. JavaScript library for cryptographic and network tools.

DigitalSign (2023). Signingdesk solution. Available at:[link]. Accessed: 2024-06-08.

Eich, B. (1995). Javascript. Available at:[link]. Programming language for web development.

ETSI (2024). Electronic Signatures and Infrastructures (ESI): PAdES digital signatures; part 1: Building blocks and PAdES baseline signatures. Available at:[link]. Accessed: 2024-08-16.

European Union (2014). Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. Available at:[link].

European Union (2018). General data protection regulation, regulation (eu) 2016/679. Available at:[link].

Foundation, E. (2024). Ethereum. Available at:[link]. Accessed: 2024-08-16.

GlobalSign and Ventures, P. (2014). Pkijs: A public key infrastructure library for javascript. Available at:[link]. JavaScript library for working with X.509 certificates and cryptographic standards.

Goldreich, O. (2001). Foundations of cryptography: volume 2, basic applications, volume 2. Cambridge university press. DOI: 10.1017/CBO9780511546891.

Hansen, T. and Eastlake 3rd, D. E. (2011). US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF). (6234). DOI: 10.17487/RFC6234.

Housley, R. (2009). Cryptographic message syntax (cms). (5652). DOI: 10.17487/rfc5652.

International Organization for Standardization (2008). Iso 32000: Portable document format (pdf). Available at:[link]. International Standardization Organization.

ISO (2020). ISO 32000-2: Portable document format (PDF) — part 2. Available at:[link]. International Standardization Organization.

Jacomme, C. and Kremer, S. (2021). An extensive formal analysis of multi-factor authentication protocols. ACM Transactions on Privacy and Security (TOPS), 24(2):1-34. DOI: 10.1145/3440712.

Jonsson, J. and Kaliski, B. (2016). PKCS #1: RSA Cryptography Specifications Version 2.2. RFC 8017. DOI: 10.17487/RFC8017.

Luan, H., Wang, C., Zhou, Z., and Yang, Z. (2015). Cross-access method for team confidential document based on offline key management. International Journal of Security and Its Applications, 9(1):97-108. DOI: 10.14257/ijsia.2015.9.1.11.

Mayr, L., Palma, L., Zambonin, G., Silvano, W., and Custódio, R. (2023). Monitoring key pair usage through distributed ledgers and one-time signatures. Information, 14(10):523. DOI: 10.3390/info14100523.

Mayr, L., Zambonin, G., Schardong, F., and Custódio, R. (2024). One-time certificates for reliable and secure document signing. arXiv preprint. DOI: 10.48550/arXiv.2208.03951.

Moriarty, K., Nystrom, M., Parkinson, S., Rusch, A., and Scott, M. (2014). PKCS #12: Personal information exchange syntax v1.1. PKCS Standard 12, RSA Laboratories. Available at:[link].

NextSense (2023). Signing suite. Available at:[link]. Accessed: 2024-06-08.

NIST (2020). Zero trust architecture. Technical Report SP 800-207, NIST. Available at:[link].

Nystrom, M. and Kaliski, B. (2000). PKCS #10: Certification request syntax specification version 1.7. PKCS Standard 10, RSA Laboratories. Available at:[link].

OAB (2015). Código de Ética e disciplina da OAB, provimento no. 117/2000. Available at:[link].

Perottoni, E. D., Costa, B. P., Müller, F. L., dos Santos Camargo, V., Schardong, F., Silvano, W., Mayr, L., Custódio, R. F., Rocha, L., Lyra, C., et al. (2023). Menos certificação digital e mais identidade eletrônica: Icpedu e cafe em um assinador digital inclusivo. In Anais Estendidos do XXIII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 93-96. SBC. DOI: 10.5753/sbseg_estendido.2023.235947.

Poppler Utils (2024). pdfsig: Verify digital signatures in PDF documents. Available at:[link]. Accessed: 2024-08-19.

Prabakaran, D. and Ramachandran, S. (2022). Multi-factor authentication for secured financial transactions in cloud environment. CMC-Computers, Materials & Continua, 70(1):1781-1798. DOI: 10.32604/cmc.2022.019591.

Remdra (2023). Sign-pdf-lib. Available at:[link]. Accessed: 2024-11-11.

Shannon, C. E. (1949). Communication theory of secrecy systems. The Bell System Technical Journal, 28(4):656-715. DOI: 10.1002/j.1538-7305.1949.tb00928.x.

Shatnawi, A., Munson, E. V., and Thao, C. (2017). Maintaining integrity and non-repudiation in secure offline documents. In Proceedings of the 2017 ACM Symposium on Document Engineering, pages 59-62. DOI: 10.1145/3103010.3121038.

Stafford, V. (2020). Zero trust architecture. NIST special publication, 800:207. DOI: 10.6028/NIST.SP.800-207.

UFSC (2019). Portaria normativa nº 276/2019/gr, de 18 de setembro de 2019. Available at:[link].

United Kingdom (1989). Official Secrets Act 1989. Available at:[link].

United Kingdom (2000). Freedom of Information Act 2000. Available at:[link].

United States (1917). Espionage Act of 1917. Available at:[link].

Ventures, P. (2013). Asn1js: A pure javascript library for parsing and serializing asn.1 data. Available at:[link].

W3C (2017). Web cryptography api. Available at:[link]. Accessed: 2024-11-11.