The Kingdom of Cambodia has adopted the usage of “Digital Signature” as a standard element for doing business in the country. A sub-decree was officially promulgated by the Royal Government of Cambodia (RGC) to grant digital signature as a means to enforce the authenticity of documents concerning financial transactions and other operations carried out on the Internet.

 

Like a handwritten signature, a digital signature is unique to each person. It is usually created by a recognized authority, known as Certificate Authority (CA), for all people applying for digital signature. The process to create a digital signature follows a specific protocol called Public Key Infrastructure (PKI) by which the CA secretly chooses a mathematical algorithm to generate a pair of two long numbers called keys. One key that a digital signature owner can share with other people in different banking transactions and/or other

operations is known as “Public Key,” another key is “Private Key” that the user must secretly keep in a safe place.

 

“Digital Cambodia Statistics has reported that there are 18.2 million mobile subscribers by Apr 2018, and urban coverage is 100%. The mobile penetration rate is expected to reach 125%,” said Mr. Heng Mara, Deputy Director of ICT Security Dept at the Ministry of Posts and Telecommunication. With so many mobile users, developing a digital signature infrastructure is a priority.

 

The PKI technology is promoted by some countries as “tried and true,” while other countries such as Singapore have opted for a “token-based” system, but the concept is the same for providing a secure form identification. “It is a good decision by many Cambodian banks to use a token system,” said Mr. Tony Chew, Chief Strategy Officer of V-Key. “A lot of countries are abandoning PKI systems.”

 

Besides mathematical algorithms, CA could also set the roles, policies, and procedures needed to create, manage, and distribute digital signatures.

 

The actual creation of a digital signature can be done only by computer, because it is a complex mathematical process beyond the scope of human ability. After legally obtaining a digital signature from a recognized CA, it can be downloaded and installed on devices to be able to use the “Sign” and “Encrypt”

buttons on existing software to encrypt and digitally sign our documents sent online.

 

“The Certification Authority provides a level of assurance that the public key contained in the certificate does indeed

belong to the entity named in the certificate,” said Mr. Shin Jinhwan, KISA Consultant.

 

When a person electronically signs and encrypts a document, his/her private key is used to mathematically translate the document into a kind of data called hash that is later encrypted to create a copy of his/her digital signature to be attached to the original document. As the result, the digital signature comprises the encrypted original document.

 

When the document with the digital signature is sent and arrives to a recipient, the document and the digital signature are decrypted by the recipient’s software using the public key from the sender. The process of decrypting is to translate the sender’s digital signature into a hash data and to mathematically translate the sent document itself into another hash data. If the two hashes are identical, then the sent document is genuine.

 

“The typical workflow is to create a document, add a digital signature then deliver through email. This saves money for shipping and logistics,” said Mr. Heng Mara, Deputy Director of ICT Security Dept at the Ministry of Posts and Telecommunication.

 

For example, Ms. Thida signs an agreement online to sell a plot of land using her private key. The agreement is translated to hash data and encrypted to create Thida’s digital signature. The agreement is sent to Mr. Vuth, the buyer of the plot of land. Ms. Thida’s public key is sent with the document, and Mr. Vuth tries to decrypt Ms. Thida’s digital signature. If Mr. Vuth could decrypt it, the document is authentic; otherwise, it was altered.

 

As a result, digital signature could help to ensure that the signer is the person he or she claims to be. This helps to prevent other people from pretending to be the signer of a particular document. The digital signature can be used against all kinds of forged documents online.

 

“It has the same legal impact as a handwritten signature,” said Mr. Ko Young Joo, Dir, Global Business Development, KICA (Korea Information Certificate Authority). Mr. Mara added, “The National ID Card is used for identification in the real world, but Accredited Certificate is used in cyberspace. The image of a signature for authentication is reusable, but Digital Signature is impossible to reuse, because it is made with encryption.”

 

According to the Sub-decree 246, issued by the Cambodian government,

it is the Ministry of Posts and Telecommunication which has the duty to approve all digital signatures created by different institutions in the kingdom. The use of a digital signature without the approval from the ministry is against the law. For this offence, individuals can be fined in the range of $1,250 to $3,750, while companies can be fined up to $37,500.

 

Mr. Ou Phannarith, director of the Department of ICT Security at the Ministry of Posts and Telecommunications, said that his ministry is working on educating people and companies about the necessity of the use of digital signature to sign documents online.

 

Mr. Phannarith also said that the right to be CA would be given to private institutions that need to have the

appropriate qualifications and assets such as investment capital, technology infrastructure and human resources, etc.