When it comes to ICP-Brasil, it is important to remember that, over the last few decades, we have realized that the constant processes of digital transformation have revolutionized our lives on several different levels, especially with regard to our forms of communication.
Following this growing wave, we can see that a significant part of information and formal processes also take place today in the digital realm.
If before we lived at the mercy of a lot of papers, nowadays things have changed – it is now fully possible to guarantee the legitimacy of data on individuals and legal entities through certificates and digital signatures provided by modern electronic systems.
In order to safeguard the security of the most diverse labor, tax, accounting and legal proceedings that took place in a virtual space, the Brazilian Public Key Infrastructure, also known as ICP-Brasil, was created.
Throughout this article, we will break down the subject and clarify everything you need to know about this important public body. Come on?
What is ICP-Brasil?
ICP-Brasil (Brazilian Public Key Infrastructure) is a service made available free of charge by ITI and created in 2001 through the Provisional Measure 2.200-2 to enable the issuance of digital certificates.
Officialized by Decree 3.996 of 2001, by Law 11.419 of 2006 and composed of a wide variety of bodies and resources, ICP-Brasil is a Brazilian national digital certification system, that is, it is the Brazilian public body responsible for the management of public key infrastructure.
Thus, its main purpose is to enable the validation of documents and digital contracts, assuring the user that they offer the same excellence and reliability that we observe in physical documents.
This process takes place through the systematic practice of certain specific procedures and also through a special set of applied technologies.
How does ICP-Brasil work?
Now let's see how ICP-Brasil is actually operated.
ICP-Brazil Hierarchy
Hierarchically speaking, the Brazilian Public Key Infrastructure is composed of the following levels:
- Management Committee (GC);
- Root Certification Authority (AC-Raiz);
- 1st and 2nd level Certifying Authorities (CAs);
- Registration Authorities (ARs);
- Final user.
Next, we will talk in more detail about each of them.
Root Certification Authority
Directly linked to the Civil House of the Presidency of the Republic is the National Institute of Information Technology (ITI).
As the highest authority of ICP-Brasil, the ITI not only fulfills the role of Root Certification Authority (or AC-Root), but is also responsible for carrying out the accreditation and de-accreditation of the other participants in the chain, in addition to the supervision and auditing of your processes.
When the Certificate Policies are approved by the Management Committee of ICP-Brasil, it is up to the Root Certifying Authority to implement these technical and operational standards.
Certification Authorities (CA)
Certification Authorities are entities, both public and private, with direct responsibility for issuing, distributing, renewing and revoking certificates.
In addition to this management work, they are also responsible for performing the so-called asymmetric cryptography – when a certificate is generated, the applicant receives two codes: the public certificate, which must be shared, and the private certificate, which must be kept secure.
Asymmetric cryptography is nothing more than the method that checks whether one code matches the other, ensuring the security and reliability necessary for the digital certification process.
Registration Authority (AR)
Directly linked to the Certifying Authorities, the Registration Authority is that instance whose main function is to create and conduct the integration interface between users, the CAs and the Certifying Authority of Time (a CA especially responsible for the temporal aspect and for the validation procedure law).
What exactly is a digital certificate?
By definition, a digital certificate is nothing more than the virtual identity document of an individual or legal entity, which allows transactions to be validated through the digital signature, and associating a cryptographic key pair to a particular entity, person, process, or server.
As stated earlier, the digital certificate is created and signed by a government entity called the Certifying Authority, through an effective process of verifying the applicant's personal data.
The fact is that digital certification is not only a very valuable tool, but also an indispensable tool to guarantee a satisfactory level of security in the transit of information over the Internet.
The digital certification process allows that, through cryptographic resources, messages and important content can be encoded in a way that becomes incomprehensible, unless the person in possession of them has the correct key to transform it, again, into into readable text.
These digital security procedures prevent hackers from interfering with communications carried out virtually, so that important and confidential data can only be read by authorized persons.
Another advantage of digital certification makes the origins of messages and documents easy to identify, as the identity of the sender is always accessible.
In addition, digital certificates can also be used instead of username and password, which can be very useful to avoid problems and setbacks generated by carelessness with the use and storage of passwords by more incautious users.
Finally, it is also thanks to digital certification that documents digitally signed now have total legal validity, counting as much as if they had been signed on paper.
Different types of digital certificate
Now we move on to the digital certificates that exist.
Type A Certificate: Digital Signature
Digital signature is the certificate that, by definition, attests to the authorship and authenticity of a virtual document, conferring integrity, reliability and security to it.
Widely used in document signatures, this type of certificate is especially suitable for self-employed professionals, as well as for companies and public bodies where there is a large circulation of files, and the demand for more agile and optimized solutions is evident.
Within this context, there are three different variations under which we can classify electronic signatures:
- A1: with a maximum validity of one year, these certificates are generated by software and are stored on the computer;
- A3: with a maximum validity of three years, these signatures are stored in cryptographic hardware, such as a token, for example;
- A4: Using a special security module that asks for an additional identification document, this is the most secure among the existing digital signature types.
It is worth remembering that, despite the constant confusion generated by the similarity between the names, digital signature and digitized signature are not the same thing.
There is, between the two, a subtle but important difference: while the digital signature is nothing more than a handwritten signature passed to the virtual environment, a digital signature is carried out directly in the electronic environment.
The first, as it can be easily copied or changed, cannot guarantee total integrity to a virtual document. The second, as it has ICP Brasil certificates in its issuance, has the same legal validity as handwritten documents.
Type T certificate: Time (Time stamping)
A time certificate, as the name suggests, basically serves to certify the day and time when an electronic document was signed.
Type S certificate: Secrecy or Confidentiality
This is the type of certificate that guarantees that the content of a given document is kept in complete secrecy and absolute security, using data encryption technology and making the information inaccessible to hackers and unauthorized personnel.
⚠️ Also check out these related articles ????
➡️ Learn how to sign with a digital certificate
➡️ Understand what a digital signature verifier is for
➡️ What is a digital contract and how to adopt one for your company
What are ICP-Brasil's security levels?
ICP-Brasil levels are designed to ensure the legal validity of documents, prevent fraud and protect information. Let's explore each of these levels in detail.
Security type A, S or T 1
The basic level of security offered by ICP-Brasil is type 1. This level, although it presents a high standard of security, is considered the most accessible among those available. The main characteristic that defines this level is the key generation method, carried out using software installed on the user's computer.
This software is protected by a user and password authentication system. Due to their more accessible nature and potentially greater security risk, type 1 certificates have a shorter validity.
Security type A, S or T 3
Advancing to an intermediate level of security, we find type 3 certificates. The main distinction of this level in relation to the previous one is the method of storing cryptographic keys.
In type 3, keys are generated and stored on dedicated cryptographic hardware. This hardware is specifically designed for this function, which restricts access to the keys to only authorized people.
This additional layer of security makes Type 3 more secure compared to Type 1, making it a suitable choice for organizations and individuals who require a balance between accessibility and enhanced security.
Security type A, S or T 4
At the top of the security hierarchy is type 4, the most secure level offered by ICP-Brasil. Certificates of this type use a Cryptographic Security Module (HSM) to generate and store private keys.
HSM is known for its robustness and security, and is often compared to a digital safe. This device is virtually tamper-proof and is designed to erase all information in the event of hacking attempts. The type 4 private key can only be copied to another HSM, ensuring maximum protection and reliability.
This level is ideal for situations that require the highest security, such as critical financial transactions and protecting sensitive data.
Each security level of ICP-Brasil certificates meets different needs and contexts, providing flexibility and security for users in the Brazilian digital environment.
How to obtain your digital certificate by ICP-Brasil
Obtaining a digital certificate consists of a four-step process, which you can check out below:
1 – The first step to be taken to obtain your digital certificate is to choose, according to your need, one of the Certifying Authorities (ACs) of ICP-Brasil among the listed ones. on this link.
2 – Once you have chosen the AC, you must go to the website of the same and request the issuance of your digital certificate, whether you are an individual or a legal entity. During this stage, all information pertinent to the process must be provided to you by the Certification Authority itself.
3 – After contacting the Certifying Authority, it is time to schedule a date and time to attend the Registration Authority – AR, with the required documents. In this step, you must validate the data filled in the request, registering by biometrics, in addition to collecting your face photo and fingerprints.
4 – Once all documents and the applicant's identity have been duly verified, your certificate will be ready, duly validated and with the same authenticity as a physical file.
It is worth remembering that each and every digital certificate has an expiration date – it is necessary to be aware and renew it periodically, updating the private key for new versions. Any change in user data also requires the document to be renewed.
Now that you understand better what ICP-Brasil is, its importance and how it works, how about getting to know ZapSign's digital signature tool to facilitate your processes? Just click here to meet her!
