Electronic Signatures: Using Digital Signatures
Electronic signatures are about enabling trust in the exchange of information and transactions electronically. The electronic signature process involves authentication of the signer’s identity, a signature process according to system design and software instructions, binding of the signature to the document and non-alterability after the signature has been affixed to the document. The generation of electronic signatures requires the successful identification and authentication of the signer at the time of the signature. Verifying a signature on a document guarantees the integrity of the document and verifies the identity of the signer.
Implementation features of electronic signatures include core (basic) and optional capabilities, such as:
- Message integrity
- User authentication
- Ability to add attributes
- Continuity of signature capability
- Independent verifiability
- Multiple signatures
- Transportability of data
Core Implementation Features
If an entity uses electronic signatures, the signature method must ensure all of the following features:
- Message Integrity: The assurance of unaltered transmission and receipt of a message from the sender to the intended recipient. An example would be the use of a digital certificate to encrypt and sign messages.
- Non-Repudiation: Strong and substantial evidence of the identity of the signer of a message, and of message integrity, sufficient to prevent a parity from successfully denying the origin, submission or delivery of the message and the integrity of its contents. An example would be a certificate to encrypt and sign e-mail messages.
- User Authentication: The provision of assurance of the claimed identity of an entity. An example would be the use of a certificate for authentication.
Optional Implementation Features
If an entity uses electronic signatures, the entity may also use, among others, any of the following features:
- Ability to Add Attributes: One possible capability of a digital signature technology; for example, the ability to add a time stamp as part of a digital signature.
- Continuity of Signature Capability: The concept that the public verification of a signature must not compromise the ability of the signer to apply additional secure signatures at a later date. For example, RSA Security’s eSign product provides such capability.
- Countersignatures: The capability to prove the order of application of signatures. This is analogous to the normal business practice of countersignatures, where a party signs a document already signed by another party.
- Independent Verifiability: The capability to verify the signature without the cooperation of the signer. A certificate authority (CA) may be used for this purpose.
- Interoperability: The applications used on either side of a communication, between trading partners and/or between internal components of an entity, are able to read and correctly interpret the information communicated from one to the other. For example, an organization may standardize on the X.509v3, PKCS and PKIX specifications.
- Multiple Signatures: With this feature, multiple parties are able to sign a document. Conceptually, multiple signatures are simply appended to the document.
- Transportability of Data: The ability of a signed document to be transported over an insecure network to another system, while maintaining the integrity of the document, including content, signatures, signature attributes and (if present) document attributes.
The standard for electronic signature is a digital signature. So what is a digital signature? A digital signature is an electronic signature based on cryptographic methods of originator authentication, computed by using a set of rules and parameters so that the identity of the signer and the integrity of the data can be verified.
This process yields a unique bit string, referred to as a message digest. The digest (only) is encrypted using the originator’s private key, and the resulting bit stream is appended to the electronic document. The recipient of the transmitted document decrypts the message digest with the originator’s public key, applies the same message hash function to the document and then compares the resulting digest with the transmitted version. If they are identical, then the recipient is assured that the message is unaltered and the identity of the signer is proven. Since only the signatory authority can hold the private key used to digitally sign the document, the critical feature of non-repudiation is enforced.
Pretty Good Privacy (PGP) enables each user to issue and manage his own digital certificates. In a PGP-based public key infrastructure (PKI), there is no CA. PGP cryptographic methods and keys compare well with those used in X.509-based PKI solutions. In a PGP solution, each user signs his own digital certificate. The issuer and subject fields are identical. Thus, all PGP certificates are initially self-signed.
PGP supports RSA, DSS and Diffie-Hellman for public-key encryption. For conventional encryption, PGP supports International Data Encryption Algorithm (IDEA) and Triple Data Encryption Standard (3DES). The hash-coding algorithm supported is Secure Hash Algorithm -1 (SHA-1).
PGP uses a distributed trust model. PGP is generally implemented in a self-contained software package that supports encryption and the capability to sign e-mail messages. It includes the software to create key pairs. PGP is available for free from www.mit.edu and other sites on the Internet. It is available commercially from PGP Corp. (www.pgp.com). The services supported by PGP are digital signature, message encryption and compression.
The Secure Multipart Internet Message Extensions (S/MIME) protocol uses public keys that comply with the X.509 standard. S/MIME is a specification for securing e-mail. It supports both encryption and signing. S/MIME supports digest and hashing algorithms MD5 and SHA-1. It also supports digital signature algorithms (DSA) and RSA. The key encryptions algorithms supported include Diffie-Hellman and RSA, while data encryption algorithms include RC2/40-bit-key, RC2/128-bit key and 3DES. S/MIME is integrated in Microsoft’s Outlook and Outlook Express as well as Netscape’s Messenger software.
PKI is a way for an organization to provide support for digital signatures and digital certificates. PKI is fast emerging as a core component for an infrastructure. PKI delivers an infrastructure that enables trusted communication.
A PKI is about trust. It is about building trust on your enterprise network infrastructure. PKI is a trust framework that organizations must build into their network systems (Internet, intranet and extranet) and security policies. Why is PKI important? Because PKI can make Internet transactions as secure as face-to-face transactions. A PKI deals with the reality that the inside and the outside of the enterprise are becoming one.
PKI is the next layer of security technology. It is the next “infrastructure” challenge for organizations. PKI establishes trusted communication between all entities on the Internet. Not only does a PKI provide support for digital signatures but also other applications such as secure virtual private networks (VPNs), secure e-mail, Web applications, ERP applications, reduced sign-on and remote access.
Today, off-the-shelf software programs such as Web browsers provide support for digital signatures. Web browsers have the ability to